Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report XnQ8NBKkhW.exe

Overview

General Information

Sample Name:XnQ8NBKkhW.exe
Analysis ID:502390
MD5:c2f9ae069b620080b761d9280473e7aa
SHA1:3df08169a1cb6ec49b4359e5b580c56da2740945
SHA256:1ff5df8d27ee5989ad0e7c7270bf3c6d711a4ea6141043dedf2ce7028ae1bf42
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • XnQ8NBKkhW.exe (PID: 1500 cmdline: 'C:\Users\user\Desktop\XnQ8NBKkhW.exe' MD5: C2F9AE069B620080B761D9280473E7AA)
    • plfiqbrm.pif (PID: 1700 cmdline: 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan MD5: 8E699954F6B5D64683412CC560938507)
      • RegSvcs.exe (PID: 3620 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 6436 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • plfiqbrm.pif (PID: 6416 cmdline: 'C:\Users\user\68821130\plfiqbrm.pif' C:\Users\user\68821130\mofcxpne.aan MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • RegSvcs.exe (PID: 6576 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf9dd:$x1: NanoCore.ClientPluginHost
  • 0x427e5:$x1: NanoCore.ClientPluginHost
  • 0xfa1a:$x2: IClientNetworkHost
  • 0x42822:$x2: IClientNetworkHost
  • 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x46355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf745:$a: NanoCore
    • 0xf755:$a: NanoCore
    • 0xf989:$a: NanoCore
    • 0xf99d:$a: NanoCore
    • 0xf9dd:$a: NanoCore
    • 0x4254d:$a: NanoCore
    • 0x4255d:$a: NanoCore
    • 0x42791:$a: NanoCore
    • 0x427a5:$a: NanoCore
    • 0x427e5:$a: NanoCore
    • 0xf7a4:$b: ClientPlugin
    • 0xf9a6:$b: ClientPlugin
    • 0xf9e6:$b: ClientPlugin
    • 0x425ac:$b: ClientPlugin
    • 0x427ae:$b: ClientPlugin
    • 0x427ee:$b: ClientPlugin
    • 0xf8cb:$c: ProjectData
    • 0x426d3:$c: ProjectData
    • 0x102d2:$d: DESCrypto
    • 0x430da:$d: DESCrypto
    • 0x17c9e:$e: KeepAlive
    00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xfe5d:$x1: NanoCore.ClientPluginHost
    • 0xfe9a:$x2: IClientNetworkHost
    • 0x139cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 104 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.RegSvcs.exe.6110000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      13.2.RegSvcs.exe.6110000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      21.2.RegSvcs.exe.4914d2d.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x241f8:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x24225:$x2: IClientNetworkHost
      21.2.RegSvcs.exe.4914d2d.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x241f8:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x252d3:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      • 0x24212:$s5: IClientLoggingHost
      21.2.RegSvcs.exe.4914d2d.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 108 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan, ParentImage: C:\Users\user\68821130\plfiqbrm.pif, ParentProcessId: 1700, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3620
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan, ParentImage: C:\Users\user\68821130\plfiqbrm.pif, ParentProcessId: 1700, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3620

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR
        Multi AV Scanner detection for submitted fileShow sources
        Source: XnQ8NBKkhW.exeVirustotal: Detection: 39%Perma Link
        Source: XnQ8NBKkhW.exeReversingLabs: Detection: 46%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\68821130\plfiqbrm.pifVirustotal: Detection: 31%Perma Link
        Source: C:\Users\user\68821130\plfiqbrm.pifReversingLabs: Detection: 32%
        Source: 21.2.RegSvcs.exe.1300000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.2.RegSvcs.exe.6310000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 13.2.RegSvcs.exe.1000000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: XnQ8NBKkhW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: XnQ8NBKkhW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: XnQ8NBKkhW.exe
        Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.514255338.0000000000C22000.00000002.00020000.sdmp, RegSvcs.exe, 00000013.00000000.324832145.00000000002E2000.00000002.00020000.sdmp, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0137A2DF
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0138AFB9
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01399FD3 FindFirstFileExA,0_2_01399FD3
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose,8_2_00C1399B
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,8_2_00C2BCB3
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C32408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,8_2_00C32408
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C58877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_00C58877
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00C2280D
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C3CAE7 FindFirstFileW,FindNextFileW,FindClose,8_2_00C3CAE7
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C11A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00C11A73
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose,15_2_00C1399B

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: ezeani.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49764 -> 194.5.98.48:8338
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
        Source: plfiqbrm.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
        Source: unknownDNS traffic detected: queries for: ezeani.duckdns.org
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C22285 InternetQueryDataAvailable,InternetReadFile,8_2_00C22285
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C242E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,8_2_00C242E1
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C3A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00C3A0FC
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C4D91D OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,LdrInitializeThunk,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00C4D91D
        Source: RegSvcs.exe, 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C5C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_00C5C7D6

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 13.2.RegSvcs.exe.6110000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.RegSvcs.exe.3929674.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.RegSvcs.exe.383ce74.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013783C00_2_013783C0
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138626D0_2_0138626D
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013901130_2_01390113
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0139C0B00_2_0139C0B0
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013730FC0_2_013730FC
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013833D30_2_013833D3
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138F3CA0_2_0138F3CA
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137E5100_2_0137E510
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0139C55E0_2_0139C55E
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013905480_2_01390548
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137F5C50_2_0137F5C5
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013A06540_2_013A0654
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138364E0_2_0138364E
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013866A20_2_013866A2
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_013726920_2_01372692
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137E9730_2_0137E973
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138397F0_2_0138397F
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138589E0_2_0138589E
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138F8C60_2_0138F8C6
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137BAD10_2_0137BAD1
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137DADD0_2_0137DADD
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01375D7E0_2_01375D7E
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01393CBA0_2_01393CBA
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01386CDB0_2_01386CDB
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138FCDE0_2_0138FCDE
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137DF120_2_0137DF12
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01373EAD0_2_01373EAD
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01393EE90_2_01393EE9
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BE35F08_2_00BE35F0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BE98F08_2_00BE98F0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BFA1378_2_00BFA137
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF21368_2_00BF2136
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C0427D8_2_00C0427D
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BE98F08_2_00BE98F0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2655F8_2_00C2655F
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF25088_2_00BF2508
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BEF7308_2_00BEF730
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF37218_2_00BF3721
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C0088F8_2_00C0088F
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF28F08_2_00BF28F0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BFC8CE8_2_00BFC8CE
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF19038_2_00BF1903
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C5EA2B8_2_00C5EA2B
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C03BA18_2_00C03BA1
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C00DE08_2_00C00DE0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF1D988_2_00BF1D98
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C22D2D8_2_00C22D2D
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2CE8D8_2_00C2CE8D
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C24EB78_2_00C24EB7
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 13_2_01CFE48013_2_01CFE480
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 13_2_01CFE47113_2_01CFE471
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 13_2_01CFBBD413_2_01CFBBD4
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 13_2_071F098013_2_071F0980
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BE98F015_2_00BE98F0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BE35F015_2_00BE35F0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00C0088F15_2_00C0088F
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BFC8CE15_2_00BFC8CE
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BFA13715_2_00BFA137
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BF190315_2_00BF1903
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BEF73015_2_00BEF730
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BF372115_2_00BF3721
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00C01F2C15_2_00C01F2C
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C26219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00C26219
        Source: plfiqbrm.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeSection loaded: dxgidebug.dllJump to behavior
        Source: XnQ8NBKkhW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 13.2.RegSvcs.exe.6110000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.6110000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.RegSvcs.exe.3929674.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.RegSvcs.exe.3929674.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.RegSvcs.exe.383ce74.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.RegSvcs.exe.383ce74.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C133A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,8_2_00C133A3
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: String function: 0138D940 appears 51 times
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: String function: 0138E2F0 appears 31 times
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: String function: 0138D870 appears 35 times
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: String function: 00C259E6 appears 70 times
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: String function: 00BF14F7 appears 44 times
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: String function: 00BF6B90 appears 65 times
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: String function: 00BF8115 appears 35 times
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: String function: 00BF333F appears 36 times
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01376FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_01376FC6
        Source: XnQ8NBKkhW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeFile created: C:\Users\user\68821130Jump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@13/38@9/2
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeFile read: C:\Windows\win.iniJump to behavior
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01376D06 GetLastError,FormatMessageW,0_2_01376D06
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0138963A
        Source: XnQ8NBKkhW.exeVirustotal: Detection: 39%
        Source: XnQ8NBKkhW.exeReversingLabs: Detection: 46%
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeFile read: C:\Users\user\Desktop\XnQ8NBKkhW.exeJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\XnQ8NBKkhW.exe 'C:\Users\user\Desktop\XnQ8NBKkhW.exe'
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeProcess created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: unknownProcess created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' C:\Users\user\68821130\mofcxpne.aan
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeProcess created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aanJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C133A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,8_2_00C133A3
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C44AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,8_2_00C44AEB
        Source: C:\Users\user\68821130\plfiqbrm.pifFile created: C:\Users\user\temp\palnmuffs.mscJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C4E0F6 CoInitialize,CoCreateInstance,CoUninitialize,8_2_00C4E0F6
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C3D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,8_2_00C3D606
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C13EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification,8_2_00C13EC5
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_01
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCommand line argument: sfxname0_2_0138CBB8
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCommand line argument: sfxstime0_2_0138CBB8
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCommand line argument: STARTDLG0_2_0138CBB8
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: XnQ8NBKkhW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: XnQ8NBKkhW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: XnQ8NBKkhW.exe
        Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.514255338.0000000000C22000.00000002.00020000.sdmp, RegSvcs.exe, 00000013.00000000.324832145.00000000002E2000.00000002.00020000.sdmp, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
        Source: XnQ8NBKkhW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: XnQ8NBKkhW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: XnQ8NBKkhW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: XnQ8NBKkhW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: XnQ8NBKkhW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138E336 push ecx; ret 0_2_0138E349
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138D870 push eax; ret 0_2_0138D88E
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C0D53C push 7400C0CFh; iretd 8_2_00C0D541
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF6BD5 push ecx; ret 8_2_00BF6BE8
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 13_2_071F27CE push es; ret 13_2_071F27D0
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 13_2_071F2879 push ebx; ret 13_2_071F287A
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BF6BD5 push ecx; ret 15_2_00BF6BE8
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BEEE30 LoadLibraryA,GetProcAddress,8_2_00BEEE30
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeFile created: C:\Users\user\68821130\__tmp_rar_sfx_access_check_4215843Jump to behavior
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Persistence and Installation Behavior:

        barindex
        Drops PE files with a suspicious file extensionShow sources
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeFile created: C:\Users\user\68821130\plfiqbrm.pifJump to dropped file
        Source: C:\Users\user\68821130\plfiqbrm.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeFile created: C:\Users\user\68821130\plfiqbrm.pifJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C5A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_00C5A2EA
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C143FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_00C143FF
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM autoit scriptShow sources
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
        Source: C:\Users\user\68821130\plfiqbrm.pif TID: 3156Thread sleep count: 4966 > 30Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pif TID: 3156Thread sleep time: -49660s >= -30000sJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pif TID: 3156Thread sleep count: 90 > 30Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pif TID: 6420Thread sleep count: 4253 > 30Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pif TID: 6420Thread sleep time: -42530s >= -30000sJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pif TID: 6420Thread sleep count: 110 > 30Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifThread sleep count: Count: 4966 delay: -10Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifThread sleep count: Count: 4253 delay: -10Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifWindow / User API: threadDelayed 4966Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 3208Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 6264Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 686Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifWindow / User API: threadDelayed 4253Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe444D6`
        Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe59767
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then46v
        Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then631
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then"
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then?
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exeO
        Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
        Source: mofcxpne.aan.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
        Source: mofcxpne.aan.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
        Source: mofcxpne.aan.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp, plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6
        Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
        Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe\6
        Source: RegSvcs.exe, 0000000D.00000002.516668374.0000000001B04000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
        Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Thenl
        Source: mofcxpne.aan.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
        Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp, plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
        Source: mofcxpne.aan.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138D353 VirtualQuery,GetSystemInfo,0_2_0138D353
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0137A2DF
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0138AFB9
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01399FD3 FindFirstFileExA,0_2_01399FD3
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose,8_2_00C1399B
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,8_2_00C2BCB3
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C32408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,8_2_00C32408
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C58877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_00C58877
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00C2280D
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C3CAE7 FindFirstFileW,FindNextFileW,FindClose,8_2_00C3CAE7
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C11A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00C11A73
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose,15_2_00C1399B
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BEEE30 LoadLibraryA,GetProcAddress,8_2_00BEEE30
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01396AF3 mov eax, dword ptr fs:[00000030h]0_2_01396AF3
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0138E4F5
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0139ACA1 GetProcessHeap,0_2_0139ACA1
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF6374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk,8_2_00BF6374
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C3A35D BlockInput,8_2_00C3A35D
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138E643 SetUnhandledExceptionFilter,0_2_0138E643
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0138E4F5
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0138E7FB
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_01397BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01397BE1
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BFF170 SetUnhandledExceptionFilter,8_2_00BFF170
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BFA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00BFA128
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BF7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00BF7CCD
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BFA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00BFA128
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 15_2_00BF7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00BF7CCD

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1000000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1000000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1000000Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E81000Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1188000Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C143FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_00C143FF
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeProcess created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aanJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'Jump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C16C61 LogonUserW,8_2_00C16C61
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BED7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,8_2_00BED7A0
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C13321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,8_2_00C13321
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C2602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,8_2_00C2602A
        Source: RegSvcs.exe, 0000000D.00000002.519819901.0000000003CB2000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: plfiqbrm.pif.0.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
        Source: plfiqbrm.pif, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp, plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
        Source: RegSvcs.exe, 0000000D.00000002.518911849.0000000003936000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa+n
        Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmpBinary or memory string: Program Manager*7
        Source: RegSvcs.exe, 0000000D.00000002.521708279.000000000733C000.00000004.00000010.sdmpBinary or memory string: Program ManagerL
        Source: mofcxpne.aan.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
        Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
        Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmpBinary or memory string: Program ManagerT
        Source: plfiqbrm.pif, 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.517254514.0000000000C62000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
        Source: RegSvcs.exe, 0000000D.00000002.521594642.000000000716D000.00000004.00000010.sdmpBinary or memory string: Program ManagerL(
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_01389D99
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138E34B cpuid 0_2_0138E34B
        Source: C:\Users\user\68821130\plfiqbrm.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0138CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_0138CBB8
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00BFE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,8_2_00BFE284
        Source: C:\Users\user\Desktop\XnQ8NBKkhW.exeCode function: 0_2_0137A995 GetVersionExW,0_2_0137A995

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: plfiqbrm.pif, 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 0000000D.00000002.518429409.0000000003811000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: plfiqbrm.pif, 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C4C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,8_2_00C4C06C
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C565D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_00C565D3
        Source: C:\Users\user\68821130\plfiqbrm.pifCode function: 8_2_00C44EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,8_2_00C44EFB

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2Native API1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsCommand and Scripting Interpreter2Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Scheduled Task/Job1Valid Accounts2Obfuscated Files or Information2Security Account ManagerSystem Information Discovery36SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Access Token Manipulation21Software Packing12NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptProcess Injection312DLL Side-Loading1LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1Masquerading11Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts2DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation21/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 502390 Sample: XnQ8NBKkhW.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Sigma detected: NanoCore 2->50 52 6 other signatures 2->52 9 XnQ8NBKkhW.exe 36 2->9         started        13 plfiqbrm.pif 2->13         started        15 RegSvcs.exe 2 2->15         started        process3 file4 36 C:\Users\user\68821130\plfiqbrm.pif, PE32 9->36 dropped 62 Drops PE files with a suspicious file extension 9->62 17 plfiqbrm.pif 1 3 9->17         started        64 Writes to foreign memory regions 13->64 66 Allocates memory in foreign processes 13->66 68 Injects a PE file into a foreign processes 13->68 21 RegSvcs.exe 2 13->21         started        23 conhost.exe 15->23         started        signatures5 process6 file7 34 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 17->34 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Writes to foreign memory regions 17->56 58 Allocates memory in foreign processes 17->58 60 Injects a PE file into a foreign processes 17->60 25 RegSvcs.exe 8 17->25         started        signatures8 process9 dnsIp10 42 ezeani.duckdns.org 194.5.98.48, 49764, 49767, 49768 DANILENKODE Netherlands 25->42 44 192.168.2.1 unknown unknown 25->44 38 C:\Users\user\AppData\Roaming\...\run.dat, data 25->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD317.tmp, XML 25->40 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 25->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->72 30 schtasks.exe 1 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        XnQ8NBKkhW.exe39%VirustotalBrowse
        XnQ8NBKkhW.exe46%ReversingLabsWin32.Trojan.Lisk

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\68821130\plfiqbrm.pif32%VirustotalBrowse
        C:\Users\user\68821130\plfiqbrm.pif32%ReversingLabs
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        21.2.RegSvcs.exe.1300000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.2.RegSvcs.exe.6310000.8.unpack100%AviraTR/NanoCore.fadteDownload File
        13.2.RegSvcs.exe.1000000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
        http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
        http://www.globalsign.net/repository090%URL Reputationsafe
        http://www.globalsign.net/repository/00%URL Reputationsafe
        http://www.globalsign.net/repository/030%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ezeani.duckdns.org
        		194.5.98.48
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://secure.globalsign.net/cacert/PrimObject.crt0plfiqbrm.pif.0.drfalse
          • URL Reputation: safe
          		unknown
          http://secure.globalsign.net/cacert/ObjectSign.crt09plfiqbrm.pif.0.drfalse
          • URL Reputation: safe
          		unknown
          http://www.globalsign.net/repository09plfiqbrm.pif.0.drfalse
          • URL Reputation: safe
          		unknown
          http://www.autoitscript.com/autoit3/0plfiqbrm.pif.0.drfalse
            		high
            http://www.globalsign.net/repository/0plfiqbrm.pif.0.drfalse
            • URL Reputation: safe
            		unknown
            http://www.globalsign.net/repository/03plfiqbrm.pif.0.drfalse
            • URL Reputation: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            194.5.98.48
            		ezeani.duckdns.orgNetherlands
            		208476DANILENKODEfalse

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:502390
            Start date:13.10.2021
            Start time:21:13:35
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 14m 29s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:XnQ8NBKkhW.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:29
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@13/38@9/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 19% (good quality ratio 18.3%)
            • Quality average: 75.8%
            • Quality standard deviation: 26.8%
            HCA Information:
            • Successful, ratio: 76%
            • Number of executed functions: 169
            • Number of non-executed functions: 213
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 95.100.218.79, 95.100.216.89, 8.248.145.254, 8.248.141.254, 8.248.149.254, 67.26.73.254, 8.248.117.254, 8.247.248.249, 8.247.248.223, 8.247.244.249, 20.199.120.151, 20.199.120.182, 20.50.102.62, 2.20.178.56, 2.20.178.10, 40.112.88.60, 2.20.178.33, 2.20.178.24
            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            21:14:58AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows element C:\Users\user\68821130\plfiqbrm.pif C:\Users\user\68821130\mofcxpne.aan
            21:15:09API Interceptor752x Sleep call for process: RegSvcs.exe modified
            21:15:10Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\68821130\bitv.pdf
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):557
            Entropy (8bit):5.466223670451294
            Encrypted:false
            SSDEEP:12:wDXbOp+ctqdHXWqKm83yP2IUpDGHIrZzZxiKHVS2RfyTmg/2zqy:wDXigctIexX3rDTf5gjy
            MD5:4BA0BE4906547CFF8D68F1664FCB19A3
            SHA1:5722437038DCFC1427C2EF88C1166C01C496DF4D
            SHA-256:A4B07202EC983DF04A8A15477C101E287F422977C606D08958FC21E5B7B84E90
            SHA-512:36F0A08993CDBF1227FBC8AC347DB1ECCDBB46844726015FE8086C5AC8E7F238BFA1765A4028C9A0D8199B2EAA7686C38356AE7B9F1D0575ED868E005DA67D4C
            Malicious:false
            Reputation:unknown
            Preview: S2mnH52rgoI825T3JTsNt1M669WYndVg4qC8k18c14V0J42tKIh15631f1097qv1708Q84J65vj31h990i4Ej812dK5397nszn11ZH2xo613c17H9X93419s7KJO..4C80407E755YH10r4Y2yG20Z2At1NC9BV4P15Eomkp4Zo72Q88tl6ZU2z005bPz..KmRF6Vh8108f6722q6h67y19orckm6u97C68ft0gS01o141Q1Uy9ye3dj1714o8dCLk601..4S8sGJ1FkqB8X645u9m86314CzK6EY8hE2Lkk715M20276PJ521yZ8C5712o9p6q6XO77k66Df01WZ08A56qv980Up959CO47567REM9yB6175V88nu6iyD8hD4Hj51qS..8lez0oJX991BBBIIi2NECzS03OCPv997Q659c33XG30kCY99l9G17S817m22VKtW4se88hLJ14IY0PO27379894U6E8IH1vd..435S0q34wDn30S003Z4ryvlmj1Idf91xW42140a28Z0Mq25s8AawDpp0404BEWf..
            C:\Users\user\68821130\cavjofbut.icm
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):646
            Entropy (8bit):5.501085040576136
            Encrypted:false
            SSDEEP:12:bWfYfYv7PIHL/ANf28SzUqznYzDaPBjZcI7r9mGoym9AMZFmny/LVbi:bWfYfs7UUSazDaPwI7BmGNTMZMnqbi
            MD5:2369BB5A01CBE315E482C0C1B003BF19
            SHA1:0256FA4FBD05BF0EF623FF2D643F0662F0236AFE
            SHA-256:2EA218BEAC4887C68375F2EDE0117BD98B22D6249317BF877E2E06E161994CB4
            SHA-512:2BCCB52BCCF09BF38A6756966D2A1B34DC9F971832EA436BE53860060A0D33003A536183CDA0B751DA657900FE74216F15E857F0288A2110A924D90BBD390282
            Malicious:false
            Reputation:unknown
            Preview: kW47ENJxAd20jY8K61B040G0Z44J0o78279Q58908K6gBdfV31owP89716Y91s2iy4Vv97evc4v6uKf350628Ey9454G3T080xZ3PbN5xSW84D3U4Ilx8U3Lmbe1E73jE4j6g7e691v0ZB1U1j5P4Gjfe6..tWt02Ayv5108579x7CW8El4m2Vq339r3S6o50W3eAfQ40eN61581540Sps3XaE60JqFB3NUj25Zv74uzywp1z5218P7..3J5OgfD0G2N37ovNj0Ts1eTG1Z1RS9Yi7X4456XH2fVu8i22iHN1X8669h7GB9zNE06S59h055351C90o644exRa0ddOq3F1XJ7u4C3917en8qMb27fPV4f5r25h7o4JiN..32EBJ1C9fM26Tq2k0jw0IQ725EQY3sRhU2N5Xq26f8a43222xw7Vn199034Hl9I1566Bo7rw07059u7Xg8ChMeZz4K5..q1298g3400li..4usatyQmJO2vsh84H670PVD36C234RK1mF4Q1Y225Kmi7pW3082oO6l1uTf2l14l4W6088yo44I28tz979883yPLP5i784M2x84d5ER897RNJoz673221H9uF8E7X49j535EkyL1y7B6o18X3xi64vs783p3..
            C:\Users\user\68821130\dcxtmvu.msc
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):533
            Entropy (8bit):5.494236541799768
            Encrypted:false
            SSDEEP:12:WRp3w4DUjT+alRHhU9sEhLcT7xc/eyC4KFcg:WRpHk/lRHyJYvxcZC4Ir
            MD5:E9E3FF28275A07913516C4572AC6A4BB
            SHA1:9D0758A025915E80350BC1934AB28D9F1D10FF95
            SHA-256:329F7E4270097E99CE634783042B71710CD0F27A50DF20F4A960EB6A85B8EE3B
            SHA-512:0A4B07ED780D9BF07A460BA67CF48DBA8B119273FC7F6BE810CBCF562684AD168E8B3EB60433C4A8B4DCC8D86BECE31F491365540526EDBEA7F7EFC22694388A
            Malicious:false
            Reputation:unknown
            Preview: t4C5eF072zVm76H04D3O5..A6k8Y2C526t370ku625RNq9f3nsbSk3664b7i0o79GkD15X..Z77RM1V78ju6r6y39ZJs3P27211lUcQ71GDV29w4j789I20190099882FcT95..b9uyn88v9ju6705te842lrm342U1g7q836ld48..r06k054n799L0n0A82h3BfXhV6EjABjj123Xx69LQilhxD4B7..eDn028a0In07g57M5wRxW658lw68wCZ1C19MO1w7120hIemgXcR84H999p417mT6K70aKX4w1cq9xD25H6yFp43bW2yF638i6nfe3Y60E55iz8p21853..Q56L3TcfNyf25wt2CQ9gC3704224F5f0i..XI2J9b86LA882GHhEV1Op84011D345TV2M2k13pde9Gy9N1uz3R91y0430151I8T2jdP25G2W7o4059L79I9lw2B623AYw405o7c50gc95t0QEG9945In23Cg0fzc4YO1K2xsb8S58oU6o4k7o79ouUI..
            C:\Users\user\68821130\fvnexf.xls
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):576
            Entropy (8bit):5.4475963792195135
            Encrypted:false
            SSDEEP:12:O1SmuCBnXm+LLhnoID9kdzNgU1fnIZNc/5HOZRQPW8A47PFkTreM:ePZ3hnoID9kdzNgU1fnIZNchHSi9b7PW
            MD5:DC7DA903DAF313371A0579ACBA043CBF
            SHA1:0E3A0F5E7AAA8E975F643909B99E7C7DD397243F
            SHA-256:B9041B6494364129AA4DE649F953040BD6054C9985CBEBAAEF705522AF1F0C0B
            SHA-512:1A42BF1F7702FC5EF4E32EF80F53C83F5E30DF5811516956588B9DF1FBC81B67B89C16D0F52DDE10909856956DC4CE858D4ED0813A180FD4302FB4BFD3F885BA
            Malicious:false
            Reputation:unknown
            Preview: 02u706J064L13694Z2ikQ3FM4cOu8Z99Z5EtlF37763285219rujR42935y4DvQ2uqvgLC9CKr1vX2ixR0iS2WW3e2b8B98C42z1c22i28537YGUQB23vX8k488xnUKQ64wTM9Q400U417242n621i8WX7E63Q152Zju0U33973Q37ol..Phk8P4LiV34O6tcfh31D6q8G035303L69614n35C20b6Dv5wS7bh4MTuUA0XS2xycM9BzU0Vw..pp8sB55876nL41CJCRKm36y78Q0P84TZ6xE39B52AE8T2JeG38A2M2gvIc81Rd97193012ig3C3180w88970hkij530aj80e0Xgs1612b92..5z4yR7K39mz427C64gwgY039573DUihN49I32917tcF8sH0y5SxYG24Bke5z9y3522..6yrOX1wiE452w274C6G184uygt8UizKMKL21RCz662374l8sz2276CfmE3YF3j1SjzA764L0nU3957Rg9j91gH2pO5O34672aqzlvy739r4y8Av569C63n2VW1Fu6b3dEPOP7H18986171Fs..
            C:\Users\user\68821130\fvokcn.ppt
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):508
            Entropy (8bit):5.493645123258151
            Encrypted:false
            SSDEEP:12:ZxdPWng5ywnqGLzDMVst3ntygonxJTHOrfn:XMnunqOoVJl8fn
            MD5:78202699D218DACC967443B68817F47D
            SHA1:9DDA0D9E794048F54CB1BA792E87FCE14A036182
            SHA-256:6A1525873F5B166C8C45068AD295C1A0321D9DDF30E50D4DEF2ECEF9AF713A55
            SHA-512:497787AD586CC689976264BB72F68FF9B5C48A3B3389DE7A967772AC589A902FC6381CAF301CF05BA1AC7811FA644F11EAB642D9A625B65E8F1E48510C9C123E
            Malicious:false
            Reputation:unknown
            Preview: 8e5cg3A57G4i8R2B02f2sKle0CVD1Ch5HR9juw2M55i70m1Al..7r7P8YfR0420PA4c6dWPq4o68yn3cuA8J420j1YPs28s2769718QT3d5Zgh2qBMJ5c1z08A58VzMFg89kVOLbi892qKf9VoH43dNj748vGIRrB431589Vrg17iK7640q74b6987h134849R14..33beJ242i909v6T80SqOv0mr184sKA544dQ9zd43v4kq0393l7X13r62oqFTao4Z3D0..Uj8k94173oT58DP3Sy3764l9nSa118WHxwGA08Da4t7p3wI345717..Tpq0Hc4rj730ri96Ul0aJc2ZcJ059LAZeH6OM890w3qo9wXC1Oh56le1GTA..Dj17K21627023W305..6J728Wn4Y4P08fPF383713Dj58fHl0kEEHP18CLXc34279wQS7Oga531b0050OMB1K48E..4657fO6R5Cc0..u4KO4Wq702vw7594fDg..
            C:\Users\user\68821130\gctbg.xls
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):672
            Entropy (8bit):5.486863867804244
            Encrypted:false
            SSDEEP:12:cT+TvPsxs5sRD0Z3MDr+X2FfALHM5FRP/C527KftI0mzyNvVTcSIYIw13WzOop:cOv0xs5s906Dr+mFMHM5Fh/C5gKfS0mB
            MD5:B2801B3E4F1F579912A88A757D0B2BD9
            SHA1:83CAEACA911CD21D26DE9689DCA51962FCC829B6
            SHA-256:6672A9EECDE9DF150B86A99A1592BE0C995E8FDB7C2653350C859C03676E6A12
            SHA-512:7102E2E514DD64E4D5AB0E889FF20B554975A7BE99623FAA855310EA9B667481FB7AFA512B7C6675E4D96572E36B78AB83D46501A63A633D4AAC88DFF2046B6F
            Malicious:false
            Reputation:unknown
            Preview: k59O16RhOUP4vqltAuJ2ye2hS9dh8u4875Nc406w5827E0a8mn..V52tc8778396539J0r40m3y59Ey4q997t108B9X85PWTw61jFzVd0upv8yyrRwD8..D9A8iAB4E483z391g654I6Fl65O98hdVw748g2P34Vejm0675yP6d19fSQi49D..kXJ0kV8eYdnxx18Fk5TG3XU2x28326V4IW2RD6iw40960pP92ozV235VF60573gi259013W6Uh2q7ut4T7M26kn..F4n94M2rvtaN1f62k7e017Lh40hj74J5N38x6C24h6882g1ZIg7tA3t805FEqz644J84l7Px978g517Pg68960j2w7I9N548bBxC25D3N70Vv5w67X46154ww2929096j0g5p83..tv99v0T292wCK8n7jie47M70VApOJeQ91qE472634a2u314M8xeHWLPz1iO93oy7AG0z0fhvl6y4W1548..rpr2Qg7Eo55319we5Yfx4n2BbJoDV6is39e0j5k9No6Bc5511617R0raB978088590ouI59sKN2429lrWe83ziZ0d1j5vm61mmg86GHAE46AX72Nk9BU79q6V8kd6o0K077SNv12N3x8B89H4p8m4MT8ro3w8bz9Uqol40oXwi7T59L753q..
            C:\Users\user\68821130\gtttp.jpg
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):560
            Entropy (8bit):5.5679539900788795
            Encrypted:false
            SSDEEP:12:GJ8YS9rpmqEF8PTnbUQFV7Q4WmtQbo2DopnSnQ1QnjskkAwZo+vn:y8/9FM8rnb3V7Q4W+fXSnQ1yskIv
            MD5:98D6F21219096CFF49908D8BF99D4D72
            SHA1:5D3FAEDB818C93E5C4C971E555F72C526ED5A3CF
            SHA-256:50856CE35A3CCA5132A8D820F4220DC70113A7EC1EB8C464B2E89BCD2A2B7833
            SHA-512:79708B7AE1B057874023AD1F78A85F62724E70733881F2F56781C4F26EF70F1CF880B7B0C24D07D25F1D9F3BBCEC1444781E59A8D1848751D870692BDE2F8F14
            Malicious:false
            Reputation:unknown
            Preview: 6t98Z4bG4f9205W8Ht1513232L94247K5CpQx44B3E3Az1M7o..j8A2730J6jq3G79uUo42c92ko923Y5ie3X5bwg683624W75240KDzT26l..2p656d08y7Av91l0932RG222530QMqn04KbFZP9rg4Lyv840T6szu..4KNK..6UJsi..fTX0QWBRbK38wm2CrBp25C786Y91kc9SaBaS555L726gvLS9E55kjnf67H56Dlx8d2OCv7NSo8a9D65F80P8377kA..TX37w70g9RK3vD2of4O3o..Y1Aw9GX5Kmyv6E7XfV5R030U7YfMXd829Crkix0uM7N894k9d7RCm2ifE3z8mX1RlsL918EaMDj7cf88j7E6423594t1p3FMfZm5v41l6F6L..851HCVul02ByNb65698VXS7648Ic874RmH0lB58V5MN63s93uf0621rapfI89tpa8uUn3j8X3c5..4qeM943KzmSLV3s39ipU79114288vxu3nu0Q27f7RKaU101UTs5h5LB46R0a70YPonO65cJ7s40D7H9..
            C:\Users\user\68821130\heakhaws.cpl
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):662
            Entropy (8bit):5.451796800769334
            Encrypted:false
            SSDEEP:12:f2BeYzCotsJ83wQNWurBVQ/o2AfYdVTul5ZFz8gQTu+lRf8e5:OymJWuVV92u1FogQTVRfz5
            MD5:826EF7A1DC539675535B27E499CDDB44
            SHA1:352100556618C50D49BA06A525ABA03E72BE9504
            SHA-256:1B3FA6BCF195ADCC2ADE144FED32D0257CE9F5A1CF68271B7EFBAA502926930F
            SHA-512:269D54D7A6F10096E52BA8CAF777E3C5DF1DDD9FF0D788BDCE839BE6C51B02D547FD0A434E203DAEBEFEC1AE4941A040FA0C8A981603B723E0F97CF6A97BF813
            Malicious:false
            Reputation:unknown
            Preview: 2GW3T1hl435RS9n387UP6s78zVH93s2X8M211R9o08ON503ukj1AK40vli5E2Q29V31193J33b68N4It5zg5xC10K4Ua14k05u5VkK03O3246r69y2F40P5H368M9V16YU0sT2P8vz2dvfi6..4XDa2SD9x431h05C392EpU3siT0gHUA61C53MB26Yc802L..i4Lb97Nhx56TOp0BRCFCTI30F6838Xb45c54583xg4j6SH6pAd9Hzs2Q047016VW8fSZ3tH04mkm2d948qg74knn2m0693P5q508kk836..M3Ucxk0UPj5G469C76fK4i5Z3qk2Q3..19S91Id5dl..rclT7whd4T4B6Efl4zb8v6fv144E7ln0750159CH0k383377v56Ta850G6p3s20s67Z5456Wj1fRp3G9kk2y7268UO942fd22xD6864H0f728hh156697yS0k79nh10Ussan06D74uP546V..9SUlK3H86u4b17650C8Ge0H92C43FtMB5j4256707u427RH160qAeN45dO84wP514701w8hhio31RUNo67zrB0xO024ac24W16n77Rw4o635D91537006uQlVP04f8XXeO15h2Dm15CLd4tHV2mafNUIS847iFw2B6N69487kV..
            C:\Users\user\68821130\hgvswqfand.bin
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):553
            Entropy (8bit):5.496798251649183
            Encrypted:false
            SSDEEP:12:0cp00BZGyIuVhmro88Fall6GfQCmUOzL+ubBqqCxLd4fWkKC0v:0cGwZGyIeQrobIb/oL+ubOLdkWQ0v
            MD5:C4AD8591C49C80D72807D2791D586D31
            SHA1:D2B29F91582DF645D62DC7315977C1A5D142BAF1
            SHA-256:583D48A09314D9C9D92635FA2A24641DFE64947208523C9D5252418CE4EC4BD4
            SHA-512:048E80A9C633BEF89A69C234AC0AAE7F89E59213CC6E71D594FFA730C89D40AD7D6A7C638E04037793114EE8127A2D3776C70FC848E2966DB0C8805345D74666
            Malicious:false
            Reputation:unknown
            Preview: ax940z0x85gC5W9Qs281S5nPk6q40K02z64268wmsZ8CV3H3199n5f8B66r341B424ADN6r8366O2u020dOKIdhvRLVg127ucDO93EY8119QiJmB7y3gCl313Mym5X8p62p79S0axed1uz98XX94xb0Bq0086u5aL3sZm0429Hjl..GN4kgc762389J48R792t9v70032039..93Acm7X1Z941sI746e7FUc5d4A75GotF5s2ARFRc6h27512nE031420P96DV210ACK89n8177220TYAszD6BD5L1DaLhO62y8p1p773gV0H5amtYrDUk8wPY05sfxBB7TF2Px795135142RQg348V8v4..QF758kB4Ek58iH7186P7uuI666Sd4J2zK2ov0UX8rX30qf3A6d15JH70rWij1a8q2X32p0sw7bd1309Aka7co4K0qJ8400OJ25gK02T5Ok380T4b7Y4UC0vt6wn09C8bsNy..rs9GdMJ223N344w334w5PFwO980065rg939uwAFL7G0W44Q3S736i37037..
            C:\Users\user\68821130\hnjw.txt
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):586
            Entropy (8bit):5.436153215893494
            Encrypted:false
            SSDEEP:12:OCWUJe3qScdktbseq0AAlfeAtUoAJuNoPyZHxemrO+kLz/86Fn:fWUJaVc2Pqilf7qPJ0G+cJn
            MD5:037FAB9961275617950CEE4AE4FBEA02
            SHA1:0FABD1FC0895F89A0306B69952DCC6C0C49BA945
            SHA-256:A30A15D45D76F8C3A2E306D60E765E80D2BE58C2D733C82F5ADAFE3E4CA7F28F
            SHA-512:2FBF82C7AB5E8956A64DE787912D5675503FC750D1738048F73C0AA980A7C03B98C76660435968AB4495133C1C85B32756F72B307EAEC456E51096DA7F4959A3
            Malicious:false
            Reputation:unknown
            Preview: 8H327s33wH261w4k0o387d0061FEJ9v9L89822xqnF055Q2StQ8N57Z5o6MO6r941yzk9Z5kB15F8m66J1f5S2mow4..88D3IY6DXv0qt8skK91hyreC5S1511517V46Y27991..Kfk7A6k99103Js25B82F0G6Afth3P4j57RKJM56l6hN9FF752E424abD29083M33384dAF4tq01oOi976G..6328HJw6rFeDy0fNPL26Y641hP2rr8843OF675rP13VCN42PJr8yJ360Gz30IA30x1Lr3FV8ePM0u7n00Pm020w052321RVZ8..45003CqxT07432171h6lwvv4M48tgUGV99e01i5E3Hyv2104U6ydyKlp2V55892L33Le3R6Pvr92dV27jWwT80j79457LSf7Cn555Tj3HpVFGu661F9589117ZD0Nrez9zZu0G8w6H9Yh98YpO135VI5mgy45o22sP770dZc9j61JZ40H..528GUhuvjD18Q1G8Uc0sY74Kf56WvE0KS031P4079A02d25ZC5k64JJ991l46ia3Z3Hd56w31XWa34K5631598..
            C:\Users\user\68821130\hqsnlpl.msc
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):545
            Entropy (8bit):5.412666062462004
            Encrypted:false
            SSDEEP:12:rskb5FCkzrQwvRFIdW0es3zdPg4Ee/8VUd8LCmv4YlK5rL:jXVTv7Z+5o4EeGfCmwYlQL
            MD5:DE9C9034A0BAE6580EC717C52FE26963
            SHA1:961CA19ED41D1F735EB6438E164BDED77B1C7F4A
            SHA-256:767F283865BA225CA72055D11D7151094516A1687921D73C2FBAC8072706F5C4
            SHA-512:128CDBB66C3E3D0BB15FFDB1326CDB11D90DAA3BC412F317D6509C7010C053CA01F2DA2A2BF8A32AF2538855011025F5765B3C0A3249ED3756640432BC20558D
            Malicious:false
            Reputation:unknown
            Preview: 6em05fFru0..79yS2989lr0Ec3vCO2UC2V45110n09wD0144dI3U777E1W028hDT6KtTKX32CyT2E10S4N3264..39x94a12630Z7L2prf85c91Z6l60C9Bfh521Q9YQNu08D33h7KM8td4739w5x102IN4upl8..8280s53oZm12z4f8qz479PL7b8Pj4v65PI67T8Z117327e67v36G0A1H8lt7kd..p7q63Jhpbu0GsBny92D27F9IfoS3Z16P6m139z21..T7546eS6GDwy3aGJ76dkB589yi3U97186C4..4x0YgSAOec9m898OXfWB4918Sm57440td9284Cm6WL83224155P5M1c8AbA05QTAV9743Q7RFqBZ0e83685oN592G194946RB8584X9979QY1hQ4m120A278ArPV07i0WRS41tV03WnD05Q32160n162396KUD2n0VKm..9IQq5Ge90079352CE48797H9Z196ry4zVDmj5S37434L284WLUVh22dGG5C0x7M6kw7K22U40..
            C:\Users\user\68821130\ibcwqengn.dat
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):520
            Entropy (8bit):5.474030452753662
            Encrypted:false
            SSDEEP:12:wNRNpBZCXuEQBItMyWeiTJcR8uBesjrmNLZGo6jeOUYTf:wNRNpBZKaqkZuBewrgkyoTf
            MD5:F7A8FC77B09BFBFE1CE5E32AEB3D527A
            SHA1:8F5AD145C9F78544DD20D9A9FC5F7FDEF6E7A5A0
            SHA-256:1292831B9B4C0DEDF9B047F4CA9585A07E4D7C45F8C352F2E7A7B0499BCBEF4D
            SHA-512:11E44AF9DC2B9D127C5DE17084D2EC8DCF1B6FA635D802F4E906A15C85805058457BD9FE23FBAF4A4FEF9A5D59E28EB8B7685A2093BA6D093982CCF44AAF1331
            Malicious:false
            Reputation:unknown
            Preview: 79M1P2O8682cy1Ov4A669773V1F50L6M19R9jXse40754R3X9kAzm4d08cq..8KVbbtIT6V3980p..4d6bC6U13up9s0BYVKoo6DJUps5my80Nyf844WjsgY3R153TScBdY3TebA8l00D88473V..Gk5463wzH99x65F3211Y5Hxobmy19D6P0H9XHd78aRI80352a2wLon34D08072Np8ScU66JX..Xyd5K1b88A1sA779w169i5F02LlrG8K2ynUg79C3o0C949rkikH7OK9E58N7u92B7uSI6..970hp9622D1vN66Tj68Ev289O254888f8..8cyQ5959210adA6ER5k34vC5H9d8A43V79M76L..He81k3No32401PO819sFe04Cp89Ik210P7q6aB233T9q3Kjc..3J31HB666lv2291F6TOB69dG49TSr4URcp536Sp7H5237H4rRHwXo8O3g89okQ9at5hx77wH9T5OY3vv19Rq92553XBjq6699xO..
            C:\Users\user\68821130\ikbt.rwv
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with very long lines, with no line terminators
            Category:dropped
            Size (bytes):416786
            Entropy (8bit):4.000012827458825
            Encrypted:false
            SSDEEP:6144:VsrUI6Q9YYbSAmbhjlN6aVWNEQmZ+poMopKhmKTA:VkUynbSBbhjlN68WWQmlpgmK8
            MD5:9BE6ECA2A64E61972E3464DEC8B00CB0
            SHA1:AA889156BC0A7E8132D6C6114BC2FA8955ABF036
            SHA-256:442C15B300838DD80A3C4EAFBF6E6A70ED42E9DB5E9594A2A3769B7A74FE3C87
            SHA-512:1DE5EF1B9809344BA435173EBE220BD0B2EE5BF6A811BD917DB6A2659F4FEF17FC589CF0BD0866517BC09E666B4F86F51AFDBEEF79798B05253877E9C36CE4F3
            Malicious:false
            Reputation:unknown
            Preview: 54FEBCF4CA25F91F606E5E824BFCE7E62ED292EDA723F9016DD7F5514BD0055B50838CBC311B5ED2120DACB411832E6EE87EF61F18A5C1F6C05DF6E1176050390C45C03AEAE25EE3256F11093F2142EBE75F590B2C02D7F2B24224015EE09E50920D58CBC900F50D712CBD9E1F22C06716710EB59CD2288BB2F662E2254886D08C406ECA30152EC9B97E1457E85CF3F1587A3BCBC652A8DA4F0265AECC4B386902A55DB63BAE696FBE4E20CADDE90C7DFE1FC0AADCE316AC1FBA1E76DBE468EE43FC426F8388BDA3D22C7883CE73121FF4792073AC8AF7B58E0FE863EDC632205279D88CC622A9200126FD9131C3CC0120D340A5BA98799F0410C5F4C88C6EE04C8427FDDE71226DB6DFFCEA6AFC05E79B819F8E842D87DB577CD0A31C979F54B221FBF0161D5F115DA710160A501D3BF3343D9ED24282B919EDDC073F5720EE4E751F7C1CB16FA9183834335C51A81C73DF7C3405A523568E698609B6973F0ED4BBDF5843701A25BF97DE6A37342143D92C1C05F2A48EE1F8C17665605539D2B88083ABDE2ED28416030918978804991A6968E0D28FF2E77541DB28EE7CEE5ED34511C9495770FF4EB88A17D1809F1D7D7D20D8F9B0FE58411A7225DDB634A1557559126E95ED49B58E0FF9F588378521028052803C96A363AFD8A38C1DD6CFB66D2F2187D7A47D099DD7353C1D985457B686FB
            C:\Users\user\68821130\jebjct.ico
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):558
            Entropy (8bit):5.414538522632163
            Encrypted:false
            SSDEEP:12:CQXRWPPum96Cqig1j4D4+t4kej4uuiucL6CT4YENuV5Fcwbl:rKumIFz1CA0CT4zNa5mwbl
            MD5:5734ED554EA8FE0864AC2FF44F988305
            SHA1:95DEFF77B2B38E09B0A5EA75DD61D1806AAE09E2
            SHA-256:8B26F8FE795929C991F1CBCCD2DA4013E80605FCA3611DBF81A12FEE6CBF6F47
            SHA-512:F391E3ED27710432438FAAB5F53621016054DD80CF4861F709729DF9D03A0B814ABA3D1151597896C44A84D3B2BED1A04318634C61AE3EE2F8BF5FC6AC182688
            Malicious:false
            Reputation:unknown
            Preview: D8SA270KZ3tc5aDcu7f2u0iV..1640Jk5C24395vi99UG0Y55191W3XP1QaVRu3f3MJUl37941n8AT991ov56380082377T12M5b77f5BPi2L865962u..3A4O6EW6WflV835mx3O1Q7ZL8imo123yf731niFD3bMI23362..uTt09yK551044mXP7MqYdm947W9032G20803..C526mGqr4Oh6J3NW06erI1fR6y4D1DI7yUE574CJ2K73cL6p72c7k27870bMW4ZYS91864Kw99G766608ns102q16GJa51v78R5G6NuLch1YMoQtQ9r1z03255Lxq7174Ye5kGC97l6257845Lor..639455B027Y6r0DbJ3W2898mh0H59hzjy1XDOx4uZG1gG7960..B5vx5x99R9KBZ81674Tqfq5U099938a007S9pCHk89301A02CB7m4295xp292X7295U4O6b69Oy1B39DdX..Pr48028J6m1dCpG266VX5pj2WcqpCIka88i9P18l87o69130O3aaD741N2O4La59..
            C:\Users\user\68821130\jgukpqf.cpl
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):569
            Entropy (8bit):5.485236454639823
            Encrypted:false
            SSDEEP:12:DQxGvi7tts5f/ujT6ibeCxh2ASDgRZ2UawFhfY9IkmUIEVfVTyois:vhOjmIv32ASSZ2bwFhfOZmifVT/1
            MD5:37473CBB9261DCD6147B50D4A441F1A7
            SHA1:BD1C936483BC7E97C7BB312A0DA5DDD6F4F4DC13
            SHA-256:36847A6B9CDC27FB86CD49E225EFA7B45B3FD0AD18FCD8650E5F4392C219EA0D
            SHA-512:DF0D776257757E2E4B813BAD6E56EB7C0D43C0A24B5998EDDFEE94516F82372DA72CEF57DAA5E4BB3EB1D9545FF873431CB682048E772BE91068FCAC88231E5B
            Malicious:false
            Reputation:unknown
            Preview: mG6hqCFj38Rqqo4Oo10716F6Z3R519AgrN8918S0o9E9yD9k00NR53p1T8l4U12g5e6am9Rc8547td5975r458LOk1pa15M38Ba8mN9M7076y61..3pjOVq9d3A54d9O45Q8Jmq71Hs4586QFX27k6gN14198m0ZF057MBG3f15TO..i606Asr3Oo0V4v4k261mt877R5K9d5bzoCkB50e5qf0X70JQ314460p8SzP708Iib1Y92vE8610Qz7c04302s4YHsbHv2UM3K26SAhB1Ia3..553160J7V2M3DWDy29mKZM7660On941286n0Zgr9JPS7U1B858aWTe9QZ61i2349c9gv72P40h4Y6E02O3e36Ojzq5dJ75V5q3NgmP0UfVrQR14zT..351u117T2h0..K5hrU29DEc112WX837K6j9QT4ab6T3v6F1AJ3P9L8KP0YH6Zp5bX4oq1714a82jQm4RL48T9342rj7K424Ug498Y4MN84bz4C512981h5a7ro7A1jNKZ6eUYD3e1ocyS01EBuF319Bv00ep28E7lZQ3jA4o..
            C:\Users\user\68821130\kedwlpbcj.bin
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):566
            Entropy (8bit):5.435837082071211
            Encrypted:false
            SSDEEP:12:puyM9nkyJ9G3v2CGq40jzJWd49boerhTBoQ5ljdwlTwn:IyM9nkyT5qjnJi49boicQPuJwn
            MD5:2531BDD724AFF68FF06978C7D92781CB
            SHA1:AB7083FE10A32D3C06586C772E01C345304025FE
            SHA-256:917B82FECF7E666EEB96BD0C87BAB170DF7951771A370F519D227E1B652556B5
            SHA-512:4BB940A61084D89313F1245B6376D2D695D09CA9FE5D26E19646516F9B6688F68306B8E5D917E06E2D1CA3B72470B2743A26C8EF761E804B77CE27C51DCB7ED9
            Malicious:false
            Reputation:unknown
            Preview: 0zp2iV813Kdp2jO2PC79309R17f68Y592EB0..Zk13I9l1t5tno78f1g1HP0..9N7267n4TU148126..O3E7d4V93KTQI5G80w3a9uA5n7270XRx8368Dh7A3g07gf5q90ee484GHV5A1qLw92R..JI1t959khaa351Ymhz1006a1f41Epor1B00rkp6GND424J732b5176o760mdo7is8y67S7kguwL1fVi652G02e7agd4h4K2Zk19F6Z3x0K6063gl3Gd7LsP5iFL41Z747O..cvppv04YQnW0pYy40S4..67t9l0azL5FG66btm..f1b3582t5l48718lPA7XHN8FTw0685O9476l3es5JZ44CHlRq2W0r2099xFGO5L4M6A3230thF124Y5g2G60F1174f47C2U1001782H8z2n1ufF9P742315976..rc1XPHc5930e79yCYh7O7072VuvmU49H..U157F3y7oosNhWb1aw338126307G48OdI467Va4Fy2t1SJ4j570iF3816004YS003102zA2P3109aqu079b12..
            C:\Users\user\68821130\krxdtoehb.pdf
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):624
            Entropy (8bit):5.519579586596138
            Encrypted:false
            SSDEEP:12:EG/Eov6MzEpVKRffVhF1EqSIyfCavmqOs4AmnPKlTaKRTardTfUrFrgbFsPC:rW4ffVzNSIyfCRq145PRKoBQshEC
            MD5:9ADCF17273740814E3B6B10A89728EB5
            SHA1:D325B769814B6D98FF2145D6447AD63734AFC91C
            SHA-256:49BE3569664F38896E8365CB250983325940E0B5815FA8608CBC097E545ACE20
            SHA-512:72D8C59E586267BC63A6D86341CEE79912937099FC324DCA45589538137593BA038058193544535BFB4769AE583A4A2A44FB64F3BE44C8F6D37189437A3E18AD
            Malicious:false
            Reputation:unknown
            Preview: W2tq0750jF36te88vI5V142Z8sSEV1930I1b4GI449n6HDckv7j1L2073V86j6t2uX00MC7Zc098xN96U2pHg3oR5c31HB7suY84T7mx992826SJ259f672..SVm176TEd1rCcYhm9sy8q96f1j3V1F6845Zx7y80xx..2572cm6891p3ZW6qm4691rhD5J254ZjY4M4TR0Cg8HPr0641P87Zb4Ng5Ge80ztJ3MM4o01o69244moEtyN3J9a35567ao2e617dF3g1Z4Y846OjQ5X11t10gXyXX901Luq4Ju8t4..5l0Zhdt7nZ8mTc9Mq219m6vKvNeqGkTO31QjT39FBY02cjK6d54gSUPaFj6v10g984tGlOR43BT37bwvcbZ204A88SO761Ol46sSo2K6P015UimOeX8L554V9pxpMPcs6YMt0LJ42q27IG9b4U93313sH09j..b6e08287bE0O6n1487l0MUs02eW4PU6S790615j886Q3b2575Dx22rUM19JD5u8t82OvJ69Nm9Fqqj1ECzfnM5uQc17CUrbi921J221Y8S7336Cqi28jy6G9x5q3055x5J9BI82HwSuG6D6C4cPn4n588lh19938..
            C:\Users\user\68821130\ktwp.docx
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):559
            Entropy (8bit):5.426020407000818
            Encrypted:false
            SSDEEP:12:e6wOnxMYuB6u0nF9EV4acVGzC96dWbBVYPu+m69MGbKTVHVSkpyS7kH6dn:eJOnxMD67nFdaMGe95b0G+mWM735oan
            MD5:697F85CD3D1BD0456531FB8B14A899B3
            SHA1:9A01DB39BFCA26EAB7E412EE2B25B7FD4F677BA5
            SHA-256:FEAA28EA4AED5DFE568D2D39A68F59F933200846E56236F24BB2ADD263928E08
            SHA-512:D98BB81D9DCEB214087E11CFC79EF166E3949D51274E653844D9401671738E2C46B1E34870E1FB0E3DF7C997796DBA0A5B93D39324D102791043D9EA91B6BEC6
            Malicious:false
            Reputation:unknown
            Preview: 8z9vnBhu51es6H66Q4804808o95U5T920u2325F3OVAd5A1757xXb57P00392dP5S294CfEh4F9up60V5FA47c6wH060dvr23GYaQ74..374G91H8mj6LJ794e17Xd39A8M9A0dim3247d906ej4iubHL7711Ti43699m64T73467x0U263z7w2SS0cnjgk9o1061S77o30kT0h53YuD3n42kE5967kW3X77aa1hVA0D6o15233lcw..90ok8dq33AAtM7j6cN8k6wU3v1mUK1c5R0767AdAIF8N65R3x56ziD5l3n6Vz9hH15Iv79Czk32GfG74S8c1s4dND45x4476SPqh8HT21piT9oS33e4r370e7L8xljvLnM8gK..8GJwL8Fbw7kR72330B8i4m8am289Yl1Unq6u2CinLjO7..L2q5m823hd6rn97eY965YTp068848BS47213047N9VfA..07V89Ro11u689572uI42C31709n42Fh89s9kMH8w4J8KF7lLPesM6x7045T83iU48e4q4ql8D2DKT743rG..
            C:\Users\user\68821130\llbflml.icm
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):533
            Entropy (8bit):5.455945159617544
            Encrypted:false
            SSDEEP:12:EsIFErdTKZmCxZp+Qkqi4V5UexrGbvAWdzpjyaE:KErNKoCwZVaWexrGbLzEn
            MD5:8E44EB24D752CDACB2FAA40CC506CDE2
            SHA1:799001993436019E4F353650BC4F3C0C43BC89DE
            SHA-256:02437D81E41DF987C1D743FBF054FB54DF6DAF47D3E4C995879C92DB7B9A4402
            SHA-512:6C8C858C6FD8DCD433A6DF2A5ED981ACF05D90F484AD08E46A5D6EC54F46327B99F79EC3C143D9AD2FB149111BE70E0439FEEF146F67A29655DAE5220825A4D1
            Malicious:false
            Reputation:unknown
            Preview: z684Fq05xCF8730PvXy52tVRfN42Fa82CE..370E556627X95S795N82v6S8b518wVe933WemB61T24iph5..1Cb340S76feRd92LAZl9c3E77o59Nnd05o6QY8k5jO739V7wfF4P8tf2614825X37m1OW72Cl37Gp4bLmKjB0KEaO6..D051..FQkjeHPq9B589i7ae63j90Pf0xk6b7D3bA4293lPPb9Ln3AC14nY4R5C8074Svs14..1XzI335AfR3f9P833XqSp0O0y0b3cn70i..77xOR312CCAG212o8175a17n713nZ7Mf7y19zCs1Yq2x2f161K2hNS89ch987D718O023OGM0lL7i20Jqu287Vg28E7QW20Va1458J8..h3x58dmJ2359fH3qBB8W..rIXBU105s7J9ZOre5Cf51Ysw3t03..l0nD12j6Y11pINfP680CQY0q25743z543X2e1673z3SZE0ZS57700oDjQK68CP898N1P74985523f52w63ovH834o..
            C:\Users\user\68821130\mamwlmew.bmp
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):564
            Entropy (8bit):5.522896281027247
            Encrypted:false
            SSDEEP:12:mtOc72uqOrc0RsmkCg/2FvQRQHNfIdTba28k2daIfLL:mtOcDrc0RpkCg/ubZYTa5n
            MD5:19D83EE8855BD72EDDCC58C6EC159ADA
            SHA1:46B7FB56BA1C7BEAC33B7CE28420EEBD911D8F06
            SHA-256:F4E16B0FCD33494D42171185B7307B64BFDA982D99835DFFBA829CF1F1112779
            SHA-512:4F17B2E154299A3505D46B33F49CB53247E2A257A287D4AC5A04B63FB110EBC3039F21829594268C0FF82D40A78A616FB9C8308EC1132F8AEE9EFED5A3A3622F
            Malicious:false
            Reputation:unknown
            Preview: D6Jiam4Ad73Vz8Jfh7Jn8cPO9d2M4LF976bE5279395zRjG63t2428Bx492L2093S7HN2a5TG1Gq370pw839..33980Mw6153VQ65eh20ccK6f4N4a6A197w1..t283107nG8j342CUKCs140Ag2977o6n6nZXN3357AC93XKh86U7D292P2UJ8F4B28c3w34T9byvgG1M5cOs08542t0OTu94b5Nm9bAD1rn8S5i6P9XhcuB10H4IL93bI9qu0664X6pneg2JlPSW1xhWKc7qx35IVp5a93254..V99kGQ68WkTPo03t650v6lO5557aRTr5L9m91031B2s7495Zv02D6uVY3uS4r707b76S3eDw63v682D90a6LwkmFK46Fy22jsfv1R1HseBm256T7ZegEC7SJ4lF..c0N4W165td3u2Yp0P84Hr09o7y4lIj31hl5rSvY0aV0SP2pe8Bo8894229326Z10Ks4227qn12uzP9OV3n0Ku07a3D0J28XXg5g14505Ry6358vN71400uJr9Pk9a6I4ksF5O57GH357GmbW..
            C:\Users\user\68821130\mofcxpne.aan
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:data
            Category:dropped
            Size (bytes):101059264
            Entropy (8bit):7.117031967595777
            Encrypted:false
            SSDEEP:49152:pZIZMZEZPZRZ7ZwZAZLZ4ZwZOZ7ZrZpZHZjZMZpZ1ZeZaZ/Z/ZiZmZ5ZQZNZYZrR:4
            MD5:2850D903ECD69BE837FFC6DA1E969874
            SHA1:BF145DF8807BC568CBBCC0DCF0042179293DDA52
            SHA-256:72DAA16A8FB031497B3ED4984CE8A4F6ED8980648AE0422409C92711080EEE85
            SHA-512:32ED7E3A046977E00DA93618AC5A6DA8586F0308BFE009B4D6441B2F88AA3C34B231478DEAA91E02CCC4D37DC781F50A9EF4F7E00A03AD2FCA8D011C033DC6C3
            Malicious:false
            Reputation:unknown
            Preview: ..;...h;/S....-.Wa4..f..G%3W.z.....X...V.?...D.....]6..>b......ILjc...S%.p/4+..zq..}..@. .\.rb}+.JL.[...S?{*......0Em.ys..~m..JO...Z.....x.d......C.S.#9....!j(....#.c.s...]..;%.Joy..A-..}.@..S.......j.w....m........?!M....N0.M.=.}_..I..+...j`5.r.xE..tB.l.+..|..U..4U. ....9.fG"...0..n;...#|^..dvQF..~.............im.T......N_..Y..Q.. ..._[y.i..F..'..K!..m.....3.r..?.p1.5pZ.8Jf.B..#U$...A.&.Id@..$...N...M...B..[;"V...kNyG..v.j.N*..^dn.8...R..(D9EuI.U...#..1..~...oNV.z{.....0.A.n.c.w.c.3.M.6.e.....J.5.l.3.1.8.a.3.6.6.0.r.2.7.g.7.x.5.s.7.w.6.2.d.u.7.s.0.....T.8.z.5.T.4.R.5.P.0.k.h.5.F.D.z.W.2.d.h.1.X.a.J.....y.c.4.0.9.1.F.j.y.3.Z.o.K.0.S.m.Q.e.5.5.U.e.A.g.n.c.....&*..Y.......|.{..U.1......'..e..T .F.4`.p..09].....Z...(.i.Qh..M...N.H...F...(#..k..w.Clr...@.fH.[NM..wt.;.5.....nH^...`.;%...!.Hr...AS..y[..I...21.I.d.....3'\!...........*NE.wY.i=!..S`;....y..-i.-.....M..........u..v...s.rX..e..=.Q...KB.oU............k.2.Y..!O."K..UT":........:...y1eL...$tK
            C:\Users\user\68821130\npfrp.txt
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):609
            Entropy (8bit):5.420748523281788
            Encrypted:false
            SSDEEP:
            MD5:3F98ACA5866EBE0F3912C414EE6E7BAD
            SHA1:A693BAE0DDAE030A45BD2D3CE0B512613674CB06
            SHA-256:0A4C13A0A5FC320B073C065BEF861407D28FFF382D5B55330B8A02EF88A4A350
            SHA-512:61B2A0E2198E027FA0DB4CDA3DAA4C7A57FA2FD8802E8917B33E72C06966F2363A9DECE6B5ACE93C46F7258547EE941768FBA9D61B572285A1EEAA55AF0FFD78
            Malicious:false
            Reputation:unknown
            Preview: W7e3Ua5bF3d656I3422L189ZngUT6TH214gtC60k697wW5W4CM784x90s91HI68U590U4sV056U593EVrlgf82HzP1T968b3b7..boAIO9r6OIvx11m0h4Wl2N0Wq5MW1qd6Ew909X56E6457L7F8..5l3MB8e0JUiK5U497909723u8xlliEbgm994568514e9z58O1859kh0BN7Eao4F17F922Z594947eU5..460FJ7..W7oD2F80v15nBAeR17aSg7r648591c6376Br6eI2gh9f1Hb6..28j3u..E3U2E48O4W5P1q0FnbdI85F303s0KWBTgvpUkDFif1Iu4nz162aH0W89897m666p5b607y505f32y9z..6t9De7kg9E0BI8127088H1Atf26mbyQm1S0z2t63X2M93e5ry2K5R0ruXZ6127K17ioxWrf04fz7547Cwrv1odW26j573161i85Wdxj274Kn440dJ8Q39S..XoXgejRs5145l8u4x7vW2k50c4dgAh4U8fvs65FSrt7Tvw13b38994HyYgg3595h19455a1H86024A1j5TKu6167odH736p1869634gD8e5H6..
            C:\Users\user\68821130\ntqpgj.dat
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):660
            Entropy (8bit):5.456201224379962
            Encrypted:false
            SSDEEP:
            MD5:DA026DE17853E86B3F8D5A1015F9007F
            SHA1:5F2221E7F8F6401704AC5C059A4DDE2013DB7188
            SHA-256:6C0685B051383FF33735D1F64980BEBDB4AD9EFAA185B67D758095B5FFD03C0A
            SHA-512:BA264A0B640FCFD523D845AAC880C19E216A50367CA0B9801FD6960E3EDF0B0220DE7CF1543BB64E96FA027333967D47C0CBB90FF08B7549F54ACA6C1847CBB2
            Malicious:false
            Reputation:unknown
            Preview: 50G49W8Y63W5j83w2jT9RX0e41cN4eKheZR3785S4gY9L4WJHNy3GRSZDA6Dv77ErR868S2HR57s7H179Lz4..zh5d4ohcmc142qb071X3435apd17u3Q17H392H0D71K1Ng4317C4tRA9vP9R87NqsTK7x19AuQxP9Ra2Oeb0u50GI7265lQu3Hap9u29jI37104p3V707qdS4GH9eFdEg1X885r76x4R1E37Kq..43tjgH0KLF08d4386e..ur1R0m73669ZC8C6021X576h918167290t2w31fIf3E01342O6E85Qgt934D857pUz819z93Rp17Qv5T546dv15SW11962iC906V3heT7Xq2bOcs2pbRQ15VoTo4Xu10hV1Z9T9uX375461bXw5X58i0579c7CuV7..071DJlOxwSliw800Lq79hZ3P1biRYA33F6g4d000D6Z46SH34474r52s5p56cBg31nX0Z44O1..7498hKfIvcpyv9oH2veF0C493Cq69r826cB079p64h6Dgw5VX16z9KT789026NAXx3aaFAU1361H1Rn1765l4D1dF8TjoW2dRbH663Wl5s8Cz64t7OrRU4v2l690ogCy6E9YvW4R0u7436Q4T3382627iV6A30aR9cwhN5..
            C:\Users\user\68821130\palnmuffs.msc
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):65753
            Entropy (8bit):5.575706356828312
            Encrypted:false
            SSDEEP:
            MD5:DAED960F09500D943E479F00125C6EE5
            SHA1:EA18481BC7D4E5E293187C6E6D3FC5B913118635
            SHA-256:8F3067402555EEB18D37E9F5A9CD411A1AAB6D3F85A8C6780243AAD7D6485B71
            SHA-512:6DAD2A1871962E2444DCA49EF09C729A7E4CA2D39935D923FE63140DC62B8FD1B6B3AC561487F99AF3AD3722DD368420AE9764A9B11A3ABAAC7348C4C7F5E8CF
            Malicious:false
            Reputation:unknown
            Preview: XE7ZYJ2ASj5422mSY6Sma20kU86109SUK6C9hGPH8zw9Ontn..T3z72PP7S8h026WX8ln28U6m7S9PIu5972rLz05225jtR4UnKS0..9im3061pnjW1H7hjb686YEvq826W75F9tq8XHNY843x0A10zp0oorR470RZ140e0i85..007o79kQE359Y5e2o5C1bfbA5wO088xiUn7a4Dj1xg10Y1797HJzk27M2D8Qjp4Ix7BY5k8Q6E..E77u8559a6ukiPBYYVbpYAOwixT458tzKlCpr88t9h9j3S09g..pfYnXnEH5c6dR9l1eF0nsN8k86MS470YBF981y9Jza2NY9946d7zp..PU7968189wgW5Y7pzQmYG366b7286J04UEDs3znqN8YPN7JXR9dP058..9QF711r7L54995RPp3jwfAIM9uy47GMI4sM19JaFs8FY589k803s7Y9iV18W6O00..8AQ76W6u2U0eW154X073ba373L4255a5GEN700335ZY69g521Z14g4D6Yd7k049c66Q084I63Yof68kuW4u0C15..4sGS989g4ZS6d341X54G3FN1..lA5278754UArM3CbT03c742BkN5t965Vke1tAwy884518Ll6FZ23..8AyrH3u06H4nh37Di4al3o4D9IrVFFM8U3u0vP086egvCN0z671j4S..9Q3P5pZs4a49471aei0EgS6804Nr711a4j2t0u641l46v1s6Lbj4rHSz278if1s9SI8l347ptATZ6P5..B921e11L94jfHg326042Iv676160W2N..9M96Q2Wat3rjq813Bp49hR0..2oYS1VMOwB3F63m3Fo333QWk5OGnUiw3c18378vjR32U6Uzr1Zw1wpwC0kGl4q264V4E4Vu6ZbF4309K6fl4244R7..yhVc109d4I1zmblc4kJV802MA0O31luN8AL5rV6YT0cCgh54157bi688xL8L..081tN0
            C:\Users\user\68821130\plfiqbrm.pif
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):777456
            Entropy (8bit):6.353934532007735
            Encrypted:false
            SSDEEP:
            MD5:8E699954F6B5D64683412CC560938507
            SHA1:8CA6708B0F158EACCE3AC28B23C23ED42C168C29
            SHA-256:C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
            SHA-512:13035106149C8D336189B4A6BDAF25E10AC0B027BAEA963B3EC66A815A572426B2E9485258447CF1362802A0F03A2AA257B276057590663161D9D55D5B737B02
            Malicious:true
            Antivirus:
            • Antivirus: Virustotal, Detection: 32%, Browse
            • Antivirus: ReversingLabs, Detection: 32%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0............@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...H..............@..B................................................................................................................................................................................................................................................................................................................
            C:\Users\user\68821130\qncxknbrt.cpl
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):504
            Entropy (8bit):5.435100984165968
            Encrypted:false
            SSDEEP:
            MD5:BE106E4BD08CBF7E68679FE46837DE32
            SHA1:2893CEAD14461907E76455BDEA76324A0F07BDE0
            SHA-256:8B6960083235CAD56C1E2B56D99C569C61480CE566AAE890449EF882DE223101
            SHA-512:A933118BA2DCECDDB9106245F2C4AEDE95AFAFFB8E1876DF3191C8DE01E9B52A6DF26B15DB0D96985A12CA60414336C91D4779023136E79B6632CD7642B51A91
            Malicious:false
            Reputation:unknown
            Preview: 4775719wrSZL626YtWJjg9KQ3CYb9TUFBAyOa6W383A39H0yY5439x92474149Q15X40s4oBNqj..A1O0ho886Yu6pk2TyaC1n2472UIg4B58lQy929y587km67260538MVMF98T0F78iVdWovI2U16ZE41B72J7Ka13N2LnT4j7Z4eKsi8g26IYVZo98l74H9I8gEi56tLs7o0o..6328GQ798n78Yg6ij8758zznW8uX7IsgaC0836Sg13J2gVENI4jEze1LR40701sC06F90Bk8G9h10Z354WxHc58v8PZPL3ht9R1L710M6Vea8P85177MwV8Z..5QDXQ6M40..3T30q4Zx8wx87Oh784L401sW5P50t2577Z93522303X1009365F..60RVg6880mLnH74MbCD7b8Xuq2080pV140795p4969qy396E87605773R32iwUOX5gDhjwNI863s587DJ7Xl649Zo2Z4SO504y4z33a29g..
            C:\Users\user\68821130\skglfoubk.ppt
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):508
            Entropy (8bit):5.369433538744767
            Encrypted:false
            SSDEEP:
            MD5:B9CB0C65C143DC282A7710251FE02EDF
            SHA1:C59BA0F9393EA62BF4EA4CCB1A4D2EAAB6FA2176
            SHA-256:E841F4D704A3BFB0CC84594F6B9634160F833DA354568681F61C6B1050CBD20A
            SHA-512:DC4E03CD10BEB2DE9AD047711682784A8B88379318F2C7B8D1AA46DA41A98FD99BA975CCB4D2D8FB3BCD2C60F961378CFA3EF098B4F78AB1E2C9948E93B4BA34
            Malicious:false
            Reputation:unknown
            Preview: 3WV43iU0w12F2eq7B09cGD43v6o5OflnQqz4hxGmQ0H7HXec9yU0z48AJg91v124736105bSw4l899KnY0291V38np9bFb886..4A0awi87795a3s3ST53D558pA02U1M3d6jn99M930D0qB9lqLjD90Vg4h07P0e34L1T40G5S8O2x472f70o27c4j4t2063ol00e7529994L3ds1BaU5Dy1Ln7co66C4K0c08fq0e..tnd77h0Iq82t0t8qyDfUD9vK34967fy31X4V59qYa4dCOq5376OX31I5w125v7653z011NKu9Axz8k31E022U94i5Zkqx585690aq73W0R1w04jU835eww2BgF86P22x8H93441XBX2773..fI79TaxQbK3q5a6wo8247o0eF4Y557g6G74Ysy4Vt06354R2Yw92wG5636CRI1lHh33Y20600339563Qh3j205..1eF0IQ219O96809v6I7Ef3n7M0J592643M0N6..
            C:\Users\user\68821130\uuwtdbgub.pdf
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):588
            Entropy (8bit):5.422166344336593
            Encrypted:false
            SSDEEP:
            MD5:88F8C3EE050CEB9105A1C61DB0B345A9
            SHA1:2A77C70185E5BED6C79494111D1CADF4DC0488DE
            SHA-256:A031E58C189056F58711E736241B2782D3BA962A8DE58048550ADFB147A45E35
            SHA-512:F48F4720C38FC482D1411C96BB7EDA22E5A0AB6A429D8A29729D21A1F2594ACD6A16CCBED499BCF6CBE33FF83454B89E08FCE8E4684EE22C4E91E49AC7F9C084
            Malicious:false
            Reputation:unknown
            Preview: F63O3vy9996Qv94Np33i5Bl9Uyq2x2L2G0D4vX3T8Mu46tMFY9rSr2WDL6lt3J..7V188996Z..7Mp1585WM327Ie11scT46H57J0ykJQw1477V7Q581731966921E755G41lU0hUXN..K3zC99Z0ou6sD1f9ZCVqH93h4W55091KWJ7B5506G437JbSC5334o4IB5748WzZHr703YT0vO6I48Cv57Gv1196k603eNC682731880Q91kug3mT2k1q9h86N7C85435517B0PIIG54aQ8t439197BoMnFcCMM71f1Hm7fjM4mC..MKv4Y3M1qM7z5y051873169l40192o82FDuHc1dg4087vl16146n71OcaE0217Q249Yk2El39a76u5t72v08Mbd33983dlR10F3Ws13roN5Y7Z3..62N51i6c69gFW77si47He3I8Qj985FJ2wd7le3808794GsisH348GaFS03e4g7469667X55698W124Gv1ZBjj0rnJ0n550WNxORm4469uvCrU50K74qIAH9t0BfBR1T0V8y178qqRDwo7E4sU5H67V73Z8QT18j..
            C:\Users\user\68821130\veppqo.bin
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):511
            Entropy (8bit):5.526256819858086
            Encrypted:false
            SSDEEP:
            MD5:5633CF07E54D8B3DFDA857534EACAB22
            SHA1:D4061718E2420736554C24742D460B748C7D02A8
            SHA-256:0703722058175BDA9D32EAFF7DD73B8B30E73638EB645990315ED82ABB5DDED1
            SHA-512:F10DDC89EDB537CC0611333EE0AEECEB05469A3D9EA94EABC717D82865AF2786BC65E70E116C054E6C9280555F2635225BFD9B0EA8FD32C674AE1200CB5642BF
            Malicious:false
            Reputation:unknown
            Preview: 8TpC2gsAe378gt5SCY3x9r2whWya64SMm8N7a890v5LgJcT395N4B9uv1W9M64Vw17Iq3n0R55K6s483rhVL91Si1D965uw3tw092o57rT79886i7k54ZfEiIR73x..31E2a84m04bv5g73y6Q4Y57634z8T..w27Q2MTbibk3o2J2cVlR522HL62HU49A1h22Ty4wG32O1k661f5..k3196m9Qa1566sKRixx25q49Q23515GVnX4Cr40D711i7L1v6FTNS3Qp5S19b635ctx37OZ1s14Bt95gKu9M4rA9N61eis558H001Zu958bBzLJAgEKo5Fe6YAXY2044..xpk542n8S4VA360d8VSSS3pV1Jc37s8jAfESr5sRuIU94MQX2u95pS4r628fhXtN34Z9503Z4ydAVj13X2dsYN124B45N0f335A404c0Cb7ivD1..1WI96h69zP2V4jM862701s4v..D2079h5uK40G176gwk607x9OH51qa..
            C:\Users\user\68821130\whpkfkb.jpg
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):533
            Entropy (8bit):5.448670942393053
            Encrypted:false
            SSDEEP:
            MD5:E2E0B28F8037CB013541CB1CF493BA66
            SHA1:63529E00ACE3AD6C7E7D71580976EBC0E50439E3
            SHA-256:CEFBB3E4B18A04EB4524E441CD7077D40A6463AD247DE93C584E3876D6349E84
            SHA-512:4BD0390FE84812002154A73F533D650BBF8821FF89F69C9D7EBDDEB1C6584F2F47A14DF961A462DB71BE4E5E2A6F29EF40D0984728D7C60B701BCCFCAC5DF5CB
            Malicious:false
            Reputation:unknown
            Preview: 43G1x8zX2u1wQIZ4iMf09S..Ch5c0eCT6WKI3K9XLtsCv832cJ143714QjToyL68v53wEH8740JXo33..L29Gv7249F5GFb9PFT42237f0Q7vsq0C326A1117ZP2zC7253264ChJuksV9Gs1758HU06N51Y..jfV70IY9m444T05gJug0RE210maM0L7345a2a4n4flx61vWNcCR093h317J689K40h3GYm1054qR484..h5st9246rKz03v9yl33R3Whu7I1x6WMp779412q35LW6x2Sxw573VuC4242Qy04Yp6562zJ620287fZbr3zJrgGZqdV35AmP147L603776X6fctTJv7c6..3315C38oq0622233lt92N674O9994F6a55D90..70qf6fO3Qaqc93I6mn69laeSMs..Y2S3TLj4Qa8762y1coHFv13ua14zR036m71x7Hc5jk6R76u3KGP6RR3V2y0TdzIK4WCMk360298fM99p597qZ913Cg49yk8w47n5eV3774Y..
            C:\Users\user\68821130\xfrapvxavq.pdf
            Process:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):505
            Entropy (8bit):5.615843821595651
            Encrypted:false
            SSDEEP:
            MD5:950FDC6495BAD979136AAF02E62D9FB3
            SHA1:E0AB0FA6EA977D9DC0A73FA87275F21910571A08
            SHA-256:D154E915DF0E35A56F19058B133FF310AF2A724220553D11255FEC759FE24C8C
            SHA-512:9730DF726E4AEEADBCE3523D509B2292C9FD1E5C5BFACF87D8F586390B6E0077A30B93DBAD2D98DACB5BD60FC7170E778F86D17A536598ABB7991DBF2CFEF44B
            Malicious:false
            Reputation:unknown
            Preview: 36J8o3G4IshX027xN48WdEr50..953022Hc34j63bOaDm24nV85x11288Ou52Dq0GADv0e008h11itQ5532827FQ5924u1LHRBi828P..687ExD2Z10EhMS150z5S2..pY61Lir6Z9Xj8H6Gz17t2k8C43932N8BRS75gv0TY92s5nIn6E11J559R2gZ6uw2u1wOL58705zzJrkm8i4738f2kiENjCz6ujeedYwX7HWX951wg70V7R1W4RjhQOJlZ04343KhC4WD1SEM92T609QST..4r1d7l912QbQWq087zoQ483kKyRjs27lUn7jV63IECD056L7eA7hEa4897NFVBlze9V00j55y6ryE52fPLp2Ttfjuo3G46eb14hnMlZs66JHY7vV64DAdB..067P86MXv9582fy2A53O43j5j38K31xd2V207OrQSVS7rSF7FP43A75yPqQ5X4h0mtAM1934a..33B6nU686NVMpNk8BZ7Y4IvDJ..
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):142
            Entropy (8bit):5.090621108356562
            Encrypted:false
            SSDEEP:
            MD5:8C0458BB9EA02D50565175E38D577E35
            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
            Malicious:false
            Reputation:unknown
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
            C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Process:C:\Users\user\68821130\plfiqbrm.pif
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):45152
            Entropy (8bit):6.149629800481177
            Encrypted:false
            SSDEEP:
            MD5:2867A3817C9245F7CF518524DFD18F28
            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
            Malicious:true
            Antivirus:
            • Antivirus: Virustotal, Detection: 0%, Browse
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
            C:\Users\user\AppData\Local\Temp\tmpD317.tmp
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1309
            Entropy (8bit):5.0990514427386
            Encrypted:false
            SSDEEP:
            MD5:77AF6D1744407EBD7E0CEC16F3C7168D
            SHA1:FF4E58917D1AB719E40C68542F663121299DAE67
            SHA-256:A519EB5414D05AC7565B5399D9F1EF717D6846695221B21B51820AA69120EDDC
            SHA-512:529FD47B0605315DDD60D10A99A4830C234C5046C9EE575524C3FC85105C701DCD8EEA4F2A1D8AE444D2E42A2CEF37CE23FB9A2BAF4CB0BAA91B590FB555E691
            Malicious:true
            Reputation:unknown
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:data
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:
            MD5:B148361149521339CF680A67610CAB73
            SHA1:D03541402101682147BE62D35E28ABADFC0B9DD9
            SHA-256:14B1A28480719D1ECBFEAE91305D8537B4F8201D3B4FB9D3D5E81961073DB591
            SHA-512:62E9C28E3F3D3098AD9242D9BC2D861CBF5D0C1A3C22B7B50B78DE83EC1425C50E1A7DF867ED433AB5380B1CB745A264AEB1CB44D1529834612995AB2BF3FC5F
            Malicious:true
            Reputation:unknown
            Preview: .o.3..H
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):46
            Entropy (8bit):4.3523814564716385
            Encrypted:false
            SSDEEP:
            MD5:E01C7B4BFFC4D8966DFDD6831E4904F7
            SHA1:FE638E970FB82742E2C4D7EA3AE7E043589304FB
            SHA-256:ECFA3D73848685C232F4B352A5E24F4995B7D55FF4130A26B7BAEB3839280300
            SHA-512:FD9C41391E076E66F9A65DF18CA790EF06518B8033A5D24BF631E6E7F5EACECF34AD2AA7197FEB8B8FC7ED571A3BEFA0C8C940631F6EE5C0F5996D703B6AC50A
            Malicious:false
            Reputation:unknown
            Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            C:\Users\user\temp\palnmuffs.msc
            Process:C:\Users\user\68821130\plfiqbrm.pif
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):93
            Entropy (8bit):5.076928306598549
            Encrypted:false
            SSDEEP:
            MD5:A66DA5ECDDF5D800F67A0BC26FB9BE6B
            SHA1:7BFE01322CA2F3EAAC90C8CEACA4F0DCDA25E6A3
            SHA-256:F80A7E64AD5BCEBC831C491C4D2B884ADFC9F6C56BB83CBBEB3A4FE4D9904BEE
            SHA-512:52BF78ECD8895F565A826F193551EF792D2FD9522D0A945A7CC59554B76ABBB851382CE35178EC2DECC202FDC413B82D796A0086B70C491A85D3AD8E4B931AD4
            Malicious:false
            Reputation:unknown
            Preview: [S3tt!ng]..stpth=%userprofile%..Key=Windows element..Dir3ctory=68821130..ExE_c=plfiqbrm.pif..
            \Device\ConDrv
            Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            File Type:ASCII text, with CRLF, LF line terminators
            Category:dropped
            Size (bytes):215
            Entropy (8bit):4.911407397013505
            Encrypted:false
            SSDEEP:
            MD5:623152A30E4F18810EB8E046163DB399
            SHA1:5D640A976A0544E2DDA22E9DF362F455A05CFF2A
            SHA-256:4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
            SHA-512:1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
            Malicious:false
            Reputation:unknown
            Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.81968496708789
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:XnQ8NBKkhW.exe
            File size:1023642
            MD5:c2f9ae069b620080b761d9280473e7aa
            SHA1:3df08169a1cb6ec49b4359e5b580c56da2740945
            SHA256:1ff5df8d27ee5989ad0e7c7270bf3c6d711a4ea6141043dedf2ce7028ae1bf42
            SHA512:595750cb3da3b5c3ead6fbed97d10fec791fff13e38221df6b55abb751e179153bf900858afcea2872b66e6d80bb24e9586444205ae8807ec4e539690931ac24
            SSDEEP:24576:rAOcZEhMGI1altq82FLLZcMdxwI1sDx52gWbh9dlW:tmUh2BVdx/1sDxIrtw
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

            File Icon

            Icon Hash:b491b4ecd336fb5b

            Static PE Info

            General

            Entrypoint:0x41e1f9
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

            Entrypoint Preview

            Instruction
            call 00007F19649A591Fh
            jmp 00007F19649A5313h
            cmp ecx, dword ptr [0043D668h]
            jne 00007F19649A5485h
            ret
            jmp 00007F19649A5A95h
            ret
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 00433068h
            mov dword ptr [ecx], 00434284h
            ret
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007F1964998891h
            mov dword ptr [esi], 00434290h
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 00434298h
            mov dword ptr [ecx], 00434290h
            ret
            lea eax, dword ptr [ecx+04h]
            mov dword ptr [ecx], 00434278h
            push eax
            call 00007F19649A862Dh
            pop ecx
            ret
            push ebp
            mov ebp, esp
            push esi
            mov esi, ecx
            lea eax, dword ptr [esi+04h]
            mov dword ptr [esi], 00434278h
            push eax
            call 00007F19649A8616h
            test byte ptr [ebp+08h], 00000001h
            pop ecx
            je 00007F19649A548Ch
            push 0000000Ch
            push esi
            call 00007F19649A4A4Fh
            pop ecx
            pop ecx
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            push ebp
            mov ebp, esp
            sub esp, 0Ch
            lea ecx, dword ptr [ebp-0Ch]
            call 00007F19649A53EEh
            push 0043A410h
            lea eax, dword ptr [ebp-0Ch]
            push eax
            call 00007F19649A7D15h
            int3
            push ebp
            mov ebp, esp
            sub esp, 0Ch

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [EXP] VS2015 UPD3.1 build 24215
            • [LNK] VS2015 UPD3.1 build 24215
            • [IMP] VS2008 SP1 build 30729
            • [C++] VS2015 UPD3.1 build 24215
            • [RES] VS2015 UPD3 build 24213

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x4c28.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x210c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x620000x4c280x4e00False0.602263621795data6.36874241417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x670000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
            PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
            RT_ICON0x646180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
            RT_DIALOG0x649000x286dataEnglishUnited States
            RT_DIALOG0x64b880x13adataEnglishUnited States
            RT_DIALOG0x64cc40xecdataEnglishUnited States
            RT_DIALOG0x64db00x12edataEnglishUnited States
            RT_DIALOG0x64ee00x338dataEnglishUnited States
            RT_DIALOG0x652180x252dataEnglishUnited States
            RT_STRING0x6546c0x1e2dataEnglishUnited States
            RT_STRING0x656500x1ccdataEnglishUnited States
            RT_STRING0x6581c0x1b8dataEnglishUnited States
            RT_STRING0x659d40x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
            RT_STRING0x65b1c0x446dataEnglishUnited States
            RT_STRING0x65f640x166dataEnglishUnited States
            RT_STRING0x660cc0x152dataEnglishUnited States
            RT_STRING0x662200x10adataEnglishUnited States
            RT_STRING0x6632c0xbcdataEnglishUnited States
            RT_STRING0x663e80xd6dataEnglishUnited States
            RT_GROUP_ICON0x664c00x14data
            RT_MANIFEST0x664d40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
            gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            10/13/21-21:15:13.025684UDP254DNS SPOOF query response with TTL of 1 min. and no authority53595968.8.8.8192.168.2.5
            10/13/21-21:15:23.951576UDP254DNS SPOOF query response with TTL of 1 min. and no authority53569698.8.8.8192.168.2.5
            10/13/21-21:15:45.544092UDP254DNS SPOOF query response with TTL of 1 min. and no authority53600758.8.8.8192.168.2.5
            10/13/21-21:15:56.081768UDP254DNS SPOOF query response with TTL of 1 min. and no authority53547918.8.8.8192.168.2.5
            10/13/21-21:16:22.709861UDP254DNS SPOOF query response with TTL of 1 min. and no authority53592618.8.8.8192.168.2.5
            10/13/21-21:16:28.073936UDP254DNS SPOOF query response with TTL of 1 min. and no authority53594138.8.8.8192.168.2.5

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 13, 2021 21:15:13.108056068 CEST497648338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:13.151530027 CEST833849764194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:13.675463915 CEST497648338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:13.717631102 CEST833849764194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:14.269258976 CEST497648338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:14.312104940 CEST833849764194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:18.544435024 CEST497678338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:18.590148926 CEST833849767194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:19.176105022 CEST497678338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:19.218261003 CEST833849767194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:19.722804070 CEST497678338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:19.768794060 CEST833849767194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:23.952866077 CEST497688338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:23.995909929 CEST833849768194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:24.504436970 CEST497688338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:24.547780037 CEST833849768194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:25.051409006 CEST497688338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:25.094598055 CEST833849768194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:29.601633072 CEST497718338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:29.645025015 CEST833849771194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:30.161365986 CEST497718338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:30.204617023 CEST833849771194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:30.708205938 CEST497718338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:30.751529932 CEST833849771194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:34.757271051 CEST497728338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:34.800766945 CEST833849772194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:35.302278042 CEST497728338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:35.345467091 CEST833849772194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:35.849246979 CEST497728338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:35.892559052 CEST833849772194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:39.897579908 CEST497738338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:39.940891027 CEST833849773194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:40.443283081 CEST497738338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:40.486458063 CEST833849773194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:40.990288973 CEST497738338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:41.033415079 CEST833849773194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:45.545460939 CEST497758338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:45.588850975 CEST833849775194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:46.100007057 CEST497758338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:46.143311977 CEST833849775194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:46.647005081 CEST497758338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:46.690272093 CEST833849775194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:50.765100956 CEST497788338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:50.808237076 CEST833849778194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:51.319164038 CEST497788338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:51.362386942 CEST833849778194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:51.866132975 CEST497788338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:51.909260988 CEST833849778194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:56.082926035 CEST498078338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:56.124910116 CEST833849807194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:56.632179976 CEST498078338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:56.686000109 CEST833849807194.5.98.48192.168.2.5
            Oct 13, 2021 21:15:57.194758892 CEST498078338192.168.2.5194.5.98.48
            Oct 13, 2021 21:15:57.238368034 CEST833849807194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:01.254391909 CEST498128338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:01.296185017 CEST833849812194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:01.804580927 CEST498128338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:01.846302032 CEST833849812194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:02.351428032 CEST498128338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:02.393238068 CEST833849812194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:06.962750912 CEST498188338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:07.006205082 CEST833849818194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:07.508059978 CEST498188338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:07.551239967 CEST833849818194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:08.055007935 CEST498188338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:08.098314047 CEST833849818194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:12.104510069 CEST498228338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:12.147665977 CEST833849822194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:12.649159908 CEST498228338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:12.692323923 CEST833849822194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:13.196021080 CEST498228338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:13.239196062 CEST833849822194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:17.410213947 CEST498248338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:17.452447891 CEST833849824194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:17.962240934 CEST498248338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:18.004417896 CEST833849824194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:18.509074926 CEST498248338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:18.551249981 CEST833849824194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:22.711952925 CEST498258338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:22.754122019 CEST833849825194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:23.259567976 CEST498258338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:23.301805019 CEST833849825194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:23.806416988 CEST498258338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:23.848649979 CEST833849825194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:28.097915888 CEST498278338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:28.140222073 CEST833849827194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:28.650532007 CEST498278338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:28.692770958 CEST833849827194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:29.197463989 CEST498278338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:29.239554882 CEST833849827194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:33.307811975 CEST498298338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:33.349673033 CEST833849829194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:33.854207993 CEST498298338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:33.896441936 CEST833849829194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:34.401443958 CEST498298338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:34.443311930 CEST833849829194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:38.464117050 CEST498318338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:38.506341934 CEST833849831194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:39.010868073 CEST498318338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:39.053188086 CEST833849831194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:39.558571100 CEST498318338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:39.600910902 CEST833849831194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:43.606096029 CEST498348338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:43.649280071 CEST833849834194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:44.151755095 CEST498348338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:44.195020914 CEST833849834194.5.98.48192.168.2.5
            Oct 13, 2021 21:16:44.698688984 CEST498348338192.168.2.5194.5.98.48
            Oct 13, 2021 21:16:44.741851091 CEST833849834194.5.98.48192.168.2.5

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 13, 2021 21:15:12.912091970 CEST5959653192.168.2.58.8.8.8
            Oct 13, 2021 21:15:13.025684118 CEST53595968.8.8.8192.168.2.5
            Oct 13, 2021 21:15:18.438546896 CEST6015153192.168.2.58.8.8.8
            Oct 13, 2021 21:15:18.456738949 CEST53601518.8.8.8192.168.2.5
            Oct 13, 2021 21:15:23.839901924 CEST5696953192.168.2.58.8.8.8
            Oct 13, 2021 21:15:23.951575994 CEST53569698.8.8.8192.168.2.5
            Oct 13, 2021 21:15:45.430105925 CEST6007553192.168.2.58.8.8.8
            Oct 13, 2021 21:15:45.544091940 CEST53600758.8.8.8192.168.2.5
            Oct 13, 2021 21:15:50.745449066 CEST5501653192.168.2.58.8.8.8
            Oct 13, 2021 21:15:50.763768911 CEST53550168.8.8.8192.168.2.5
            Oct 13, 2021 21:15:55.969116926 CEST5479153192.168.2.58.8.8.8
            Oct 13, 2021 21:15:56.081768036 CEST53547918.8.8.8192.168.2.5
            Oct 13, 2021 21:16:17.388024092 CEST5445053192.168.2.58.8.8.8
            Oct 13, 2021 21:16:17.406179905 CEST53544508.8.8.8192.168.2.5
            Oct 13, 2021 21:16:22.595729113 CEST5926153192.168.2.58.8.8.8
            Oct 13, 2021 21:16:22.709861040 CEST53592618.8.8.8192.168.2.5
            Oct 13, 2021 21:16:27.958744049 CEST5941353192.168.2.58.8.8.8
            Oct 13, 2021 21:16:28.073935986 CEST53594138.8.8.8192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Oct 13, 2021 21:15:12.912091970 CEST192.168.2.58.8.8.80xd12cStandard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:15:18.438546896 CEST192.168.2.58.8.8.80x268fStandard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:15:23.839901924 CEST192.168.2.58.8.8.80x88dfStandard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:15:45.430105925 CEST192.168.2.58.8.8.80x1d87Standard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:15:50.745449066 CEST192.168.2.58.8.8.80x57b3Standard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:15:55.969116926 CEST192.168.2.58.8.8.80x58deStandard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:16:17.388024092 CEST192.168.2.58.8.8.80x2dc3Standard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:16:22.595729113 CEST192.168.2.58.8.8.80xe566Standard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)
            Oct 13, 2021 21:16:27.958744049 CEST192.168.2.58.8.8.80x7166Standard query (0)ezeani.duckdns.orgA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Oct 13, 2021 21:15:13.025684118 CEST8.8.8.8192.168.2.50xd12cNo error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:15:18.456738949 CEST8.8.8.8192.168.2.50x268fNo error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:15:23.951575994 CEST8.8.8.8192.168.2.50x88dfNo error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:15:45.544091940 CEST8.8.8.8192.168.2.50x1d87No error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:15:50.763768911 CEST8.8.8.8192.168.2.50x57b3No error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:15:56.081768036 CEST8.8.8.8192.168.2.50x58deNo error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:16:17.406179905 CEST8.8.8.8192.168.2.50x2dc3No error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:16:22.709861040 CEST8.8.8.8192.168.2.50xe566No error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)
            Oct 13, 2021 21:16:28.073935986 CEST8.8.8.8192.168.2.50x7166No error (0)ezeani.duckdns.org194.5.98.48A (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: XnQ8NBKkhW.exe PID: 1500 Parent PID: 2896

            General

            Start time:21:14:33
            Start date:13/10/2021
            Path:C:\Users\user\Desktop\XnQ8NBKkhW.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\XnQ8NBKkhW.exe'
            Imagebase:0x1370000
            File size:1023642 bytes
            MD5 hash:C2F9AE069B620080B761D9280473E7AA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Chronological Activities

            Analysis Process: plfiqbrm.pif PID: 1700 Parent PID: 1500

            General

            Start time:21:14:51
            Start date:13/10/2021
            Path:C:\Users\user\68821130\plfiqbrm.pif
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan
            Imagebase:0x7ff797770000
            File size:777456 bytes
            MD5 hash:8E699954F6B5D64683412CC560938507
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 32%, Virustotal, Browse
            • Detection: 32%, ReversingLabs
            Reputation:low

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 3620 Parent PID: 1700

            General

            Start time:21:14:58
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Imagebase:0xc20000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 0%, Virustotal, Browse
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs
            Reputation:high

            Chronological Activities

            Analysis Process: plfiqbrm.pif PID: 6416 Parent PID: 3472

            General

            Start time:21:15:07
            Start date:13/10/2021
            Path:C:\Users\user\68821130\plfiqbrm.pif
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\68821130\plfiqbrm.pif' C:\Users\user\68821130\mofcxpne.aan
            Imagebase:0xbe0000
            File size:777456 bytes
            MD5 hash:8E699954F6B5D64683412CC560938507
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Chronological Activities

            Analysis Process: schtasks.exe PID: 6436 Parent PID: 3620

            General

            Start time:21:15:08
            Start date:13/10/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'
            Imagebase:0x280000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 6464 Parent PID: 6436

            General

            Start time:21:15:08
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 6576 Parent PID: 904

            General

            Start time:21:15:10
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
            Imagebase:0x2e0000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high

            Chronological Activities

            Analysis Process: conhost.exe PID: 6596 Parent PID: 6576

            General

            Start time:21:15:10
            Start date:13/10/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: RegSvcs.exe PID: 6684 Parent PID: 6416

            General

            Start time:21:15:14
            Start date:13/10/2021
            Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
            Imagebase:0xf20000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: XnQ8NBKkhW.exe PID: 1500 Parent PID: 2896 XnQ8NBKkhW.exeCOMMON

              Executed Functions

              Function 0138CBB8, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199filesleeptimeCOMMON
              Download Yara Rule
              C-Code - Quality: 17%
              			E0138CBB8(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E0137FD49(__edx, 1);
				E013895F8("C:\Users\alfons\Desktop", 0x800);
				E01389AA0( &_v208); // executed
				E01381017(0x13b7370);
				_t74 = 0;
				E0138E920(0x7104, 0x13c5d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E0138B356(0, _t110);
					if( *0x13b9601 == 0) {
						E0138C891(__eflags, _t95); // executed
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0x13cce18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x13cce18);
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E01373E41(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0x13b0064 = _t97;
				 *0x13b0060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0x13bb704 = _t41;
				 *0x13c5d04 = E0138A4F8(_t89, _t125);
				E0137CFAB(0x13b0078, _t89, 0x13cce18);
				E013883FC(0);
				E013883FC(0);
				 *0x13b75e8 = _t107 + 0x5c;
				 *0x13b75ec = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E0138A5D1, _t74); // executed
				 *0x13b75ec = _t74;
				 *0x13b75e8 = _t74;
				E013884AE(_t107 + 0x24);
				E013884AE(_t107 + 0x50);
				_t51 =  *0x13cde28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x13b85f8 != 0) {
					E01389CA1(0x13cce18);
				}
				E0137E797(0x13c5c00);
				if( *0x13b75e4 > 0) {
					L01392B4E( *0x13b75e0);
				}
				DeleteObject( *0x13bb704);
				_t54 =  *0x13c5d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x13b00e0 == 0 &&  *0x13b75d7 != 0) {
					E01376E03(0x13b00e0, 0xff);
				}
				_t55 =  *0x13cde2c;
				 *0x13b75d7 = 1;
				if( *0x13cde2c != 0) {
					E0138C8F0(_t55);
					CloseHandle( *0x13cde2c);
				}
				_t99 =  *0x13b00e0; // 0x0
				if( *0x13cde21 != 0) {
					_t58 =  *0x13ad5fc; // 0x3e8
					if( *0x13cde22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0x13cde24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E01389B08(_t107 + 0x1c); // executed
				return _t99;
			}




















              0x0138cbb8
              0x0138cbb8
              0x0138cbc3
              0x0138cbd2
              0x0138cbdb
              0x0138cbe5
              0x0138cbef
              0x0138cbf8
              0x0138cbfd
              0x0138cc06
              0x0138cc08
              0x0138cc0a
              0x0138cc0c
              0x0138cc0d
              0x0138cc18
              0x0138cc85
              0x0138cc1a
              0x0138cc2d
              0x0138cc31
              0x0138cc72
              0x0138cc78
              0x0138cc78
              0x0138cc7b
              0x0138cc81
              0x0138cc18
              0x0138cc96
              0x0138cca8
              0x0138ccaf
              0x0138ccba
              0x0138ccc0
              0x0138ccc6
              0x0138cccc
              0x0138ccd2
              0x0138ccd8
              0x0138ccee
              0x0138ccf3
              0x0138cd00
              0x0138cd09
              0x0138cd0e
              0x0138cd14
              0x0138cd1a
              0x0138cd20
              0x0138cd30
              0x0138cd35
              0x0138cd3e
              0x0138cd47
              0x0138cd57
              0x0138cd66
              0x0138cd6b
              0x0138cd75
              0x0138cd7b
              0x0138cd81
              0x0138cd8a
              0x0138cd8f
              0x0138cd96
              0x0138cd99
              0x0138cd99
              0x0138cda6
              0x0138cda8
              0x0138cda8
              0x0138cdb2
              0x0138cdbe
              0x0138cdc6
              0x0138cdcb
              0x0138cdd8
              0x0138cdda
              0x0138cde1
              0x0138cde4
              0x0138cde4
              0x0138cded
              0x0138ce02
              0x0138ce02
              0x0138ce07
              0x0138ce0c
              0x0138ce15
              0x0138ce18
              0x0138ce23
              0x0138ce23
              0x0138ce30
              0x0138ce36
              0x0138ce3f
              0x0138ce44
              0x0138ce54
              0x0138ce56
              0x0138ce58
              0x0138ce58
              0x0138ce58
              0x0138ce46
              0x0138ce46
              0x0138ce4e
              0x0138ce50
              0x0138ce50
              0x0138ce4e
              0x0138ce44
              0x0138ce5e
              0x0138ce6e

              APIs
                • Part of subcall function 0137FD49: GetModuleHandleW.KERNEL32 ref: 0137FD61
                • Part of subcall function 0137FD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0137FD79
                • Part of subcall function 0137FD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0137FD9C
                • Part of subcall function 013895F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 01389600
                • Part of subcall function 01389AA0: OleInitialize.OLE32(00000000), ref: 01389AB9
                • Part of subcall function 01389AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 01389AF0
                • Part of subcall function 01389AA0: SHGetMalloc.SHELL32(013B75C0), ref: 01389AFA
                • Part of subcall function 01381017: GetCPInfo.KERNEL32(00000000,?), ref: 01381028
                • Part of subcall function 01381017: IsDBCSLeadByte.KERNEL32(00000000), ref: 0138103C
              • GetCommandLineW.KERNEL32 ref: 0138CC00
              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0138CC27
              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0138CC38
              • UnmapViewOfFile.KERNEL32(00000000), ref: 0138CC72
                • Part of subcall function 0138C891: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0138C8A7
                • Part of subcall function 0138C891: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0138C8E3
              • CloseHandle.KERNEL32(00000000), ref: 0138CC7B
              • GetModuleFileNameW.KERNEL32(00000000,013CCE18,00000800), ref: 0138CC96
              • SetEnvironmentVariableW.KERNEL32(sfxname,013CCE18), ref: 0138CCA8
              • GetLocalTime.KERNEL32(?), ref: 0138CCAF
              • _swprintf.LIBCMT ref: 0138CCEE
              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0138CD00
              • GetModuleHandleW.KERNEL32(00000000), ref: 0138CD03
              • LoadIconW.USER32(00000000,00000064), ref: 0138CD1A
              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 0138CD6B
              • Sleep.KERNEL32(?), ref: 0138CD99
              • DeleteObject.GDI32 ref: 0138CDD8
              • DeleteObject.GDI32(?), ref: 0138CDE4
              • CloseHandle.KERNEL32 ref: 0138CE23
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
              • API String ID: 788466649-2656992072
              • Opcode ID: 23e437b3536ad410c024f43fc06d3c484b689552bdc81667e88877729ccc0a8c
              • Instruction ID: f350dfbe32b6a5b2671ce79fa21e88557018b626c1b514f2c5801154bb479ddd
              • Opcode Fuzzy Hash: 23e437b3536ad410c024f43fc06d3c484b689552bdc81667e88877729ccc0a8c
              • Instruction Fuzzy Hash: 7061C671500345AFD730BB79DC88FAB7BACFB95708F440429FA0592284EB74A845CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138963A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92memorywindowCOMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E0138963A(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0x13b0060, _a4, "PNG");
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0x13b0060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x13b0060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E0138EA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0x13adff8() == 0) {
						_t26 = E013895CF(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L0138D81A(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}





















              0x0138964b
              0x01389651
              0x01389655
              0x01389732
              0x01389732
              0x01389669
              0x0138966d
              0x0138968d
              0x0138968d
              0x0138972f
              0x00000000
              0x0138972f
              0x01389676
              0x0138967e
              0x00000000
              0x00000000
              0x01389681
              0x01389687
              0x0138968b
              0x0138969b
              0x0138969f
              0x013896a5
              0x013896a9
              0x01389729
              0x01389729
              0x00000000
              0x0138972e
              0x013896b4
              0x01389722
              0x01389723
              0x00000000
              0x01389723
              0x013896b9
              0x013896c1
              0x013896c9
              0x013896ca
              0x013896cb
              0x013896d4
              0x013896db
              0x013896e0
              0x013896e4
              0x013896e9
              0x013896ee
              0x013896f3
              0x013896f8
              0x013896fa
              0x013896ff
              0x01389703
              0x01389704
              0x01389707
              0x0138970e
              0x01389710
              0x01389710
              0x0138970e
              0x01389719
              0x01389719
              0x013896ee
              0x0138971c
              0x00000000
              0x0138971c
              0x00000000

              APIs
              • FindResourceW.KERNEL32(00000066,PNG,?,?,0138A54A,00000066), ref: 0138964B
              • SizeofResource.KERNEL32(00000000,77625B70,?,?,0138A54A,00000066), ref: 01389663
              • LoadResource.KERNEL32(00000000,?,?,0138A54A,00000066), ref: 01389676
              • LockResource.KERNEL32(00000000,?,?,0138A54A,00000066), ref: 01389681
              • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,0138A54A,00000066), ref: 0138969F
              • GlobalLock.KERNEL32 ref: 013896AC
              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 01389707
              • GlobalUnlock.KERNEL32(00000000), ref: 0138971C
              • GlobalFree.KERNEL32 ref: 01389723
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
              • String ID: PNG
              • API String ID: 4097654274-364855578
              • Opcode ID: b781ca8fe6671dcf996a9b532df83107a711b89283769e63ef02eb154e6c6c41
              • Instruction ID: 34fccd6f5b4f6efbcdf86db7c6049d730be040775a6618510669260056982e69
              • Opcode Fuzzy Hash: b781ca8fe6671dcf996a9b532df83107a711b89283769e63ef02eb154e6c6c41
              • Instruction Fuzzy Hash: F9218F75600306ABD735AF65D888E3BBFADEF85798F01052CFA46C2254EB31D804CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137A2DF, Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E0137A2DF(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				void* _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t89;
				void* _t90;

				_t82 = __edx;
				E0138D940();
				_push(_t89);
				_t87 = _a4692;
				_t84 = _a4700;
				_t90 = _t89 | 0xffffffff;
				_push( &_v0);
				if(_t87 != _t90) {
					_t43 = FindNextFileW(_t87, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t87 = _t90;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t84 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t87 - _t90;
					if(_t87 != _t90) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t87 = _t65;
					if(_t87 != _t90) {
						L13:
						E0137FAB1(_t84, _a4696, 0x800);
						_push(0x800);
						E0137B9B9(__eflags, _t84,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t84 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t84 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t84 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t84 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t84 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t84 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t84 + 0x1038)) = _v4;
						 *(_t84 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t84 + 0x1004)) = _a4;
						E01380A81(_t84 + 0x1010, _t82,  &_v4);
						E01380A81(_t84 + 0x1018, _t82,  &_v24);
						E01380A81(_t84 + 0x1020, _t82,  &_v20);
					} else {
						if(E0137B32C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t84 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t87 = _t73;
							if(_t87 != _t90) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t84 + 0x1040) =  *(_t84 + 0x1040) & 0x00000000;
				return _t87;
			}






















              0x0137a2df
              0x0137a2e4
              0x0137a2ea
              0x0137a2ec
              0x0137a2f8
              0x0137a2ff
              0x0137a302
              0x0137a305
              0x0137a37a
              0x0137a380
              0x0137a382
              0x0137a384
              0x0137a386
              0x0137a38c
              0x0137a38f
              0x0137a38f
              0x0137a392
              0x0137a392
              0x0137a398
              0x0137a39a
              0x00000000
              0x00000000
              0x0137a307
              0x0137a314
              0x0137a316
              0x0137a31a
              0x0137a3a0
              0x0137a3ae
              0x0137a3b3
              0x0137a3ba
              0x0137a3c5
              0x0137a3c5
              0x0137a3c9
              0x0137a3d3
              0x0137a3d6
              0x0137a3e0
              0x0137a3ea
              0x0137a3f4
              0x0137a3fe
              0x0137a408
              0x0137a412
              0x0137a41c
              0x0137a429
              0x0137a439
              0x0137a449
              0x0137a320
              0x0137a33b
              0x0137a352
              0x0137a352
              0x0137a35b
              0x0137a36c
              0x0137a36c
              0x0137a367
              0x0137a369
              0x0137a369
              0x0137a36e
              0x0137a33d
              0x0137a34a
              0x0137a34c
              0x0137a350
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0137a350
              0x0137a33b
              0x0137a31a
              0x0137a44e
              0x0137a461

              APIs
              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0137A1DA,000000FF,?,?), ref: 0137A314
              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0137A1DA,000000FF,?,?), ref: 0137A34A
              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0137A1DA,000000FF,?,?), ref: 0137A352
              • FindNextFileW.KERNEL32(?,?,?,?,?,?,0137A1DA,000000FF,?,?), ref: 0137A37A
              • GetLastError.KERNEL32(?,?,?,?,0137A1DA,000000FF,?,?), ref: 0137A386
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFind$ErrorFirstLast$Next
              • String ID:
              • API String ID: 869497890-0
              • Opcode ID: d0b0a318df774829013d794f8cae0592f534914243b0b58544dc064a65ff7041
              • Instruction ID: a60d0df54ce1097f962b07f5782747980e168066f7959fb5d02f49d8da34e839
              • Opcode Fuzzy Hash: d0b0a318df774829013d794f8cae0592f534914243b0b58544dc064a65ff7041
              • Instruction Fuzzy Hash: 60416172604345AFD335EF78C8C0ADEF7E8BB48354F040A1AF599D3240D779A9548B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01396AF3, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01396AF3(int _a4) {
				void* _t14;
				void* _t16;

				if(E01399D6E(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E01396B78(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





              0x01396aff
              0x01396b1b
              0x01396b1b
              0x01396b24
              0x01396b2d

              APIs
              • GetCurrentProcess.KERNEL32(?,?,01396AC9,?,013AA800,0000000C,01396C20,?,00000002,00000000), ref: 01396B14
              • TerminateProcess.KERNEL32(00000000,?,01396AC9,?,013AA800,0000000C,01396C20,?,00000002,00000000), ref: 01396B1B
              • ExitProcess.KERNEL32 ref: 01396B2D
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: da1f9ceaaac102c8084f9304cab923d1db376fdebd4df886c7bbdd5870bd3087
              • Instruction ID: a13a49cfe6f10f2ff09ac51a4b0d84da5b605264c8617d8b8461a8098506d287
              • Opcode Fuzzy Hash: da1f9ceaaac102c8084f9304cab923d1db376fdebd4df886c7bbdd5870bd3087
              • Instruction Fuzzy Hash: 75E0EC75041108AFDF21BF69D94AE593F6EEF54749F404414FE068A121DB35ED52CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013783C0, Relevance: 3.9, APIs: 2, Instructions: 940COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 68%
              			E013783C0(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				intOrPtr _t576;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				_t576 = __ecx;
				E0138D870(E013A12F2, _t706);
				E0138D940();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = _t576;
				 *((intOrPtr*)(_t706 - 0x20)) = _t683;
				_t370 =  *( *(_t683 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E01375C80(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E01371F1B(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E0137AFA3();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E01372005(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E0137B8F2(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E0137B8F2(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E01380FD9(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E013780B1(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E01376EF9(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E0137A1B1(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E01377BE2(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E0137807D(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E0137C634(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L0137E724(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E0137943C(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E01372005(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E0137946E(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E01371E3B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E0137A728(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									E0137A728(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E0137C67C(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E01382842(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E013824D9( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E0137910B(_t574, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E01371E3B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E0137A12F(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E01376BF5(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E01379BD6(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E01379A7E(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E013794DA(_t340);
																																						E01377A12( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E01379A7B( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E01376BF5(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E01376E03(0x13b00e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E0137A6F6(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E013780B1(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E01379049(_t673, __eflags);
																												} else {
																													_t479 = E013774DD(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E0137774C(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E01376BF5(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E013798D5(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E013796E1(_t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E01379745(_t192);
																								if(__eflags != 0) {
																									E01376BF5(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E01376E9B(0x13b00e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E01380FD9(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E0137946E(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E01377F5F(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E01377D9B(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E01379E6B(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E0137919C(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E0138F3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E01376BF5(__eflags);
																		E01376E03(0x13b00e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E01376BF5(__eflags);
																	E0137E797( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L0137E724(_t141);
																}
															}
															E01376E03(0x13b00e0, 2);
															_t543 = E01371E3B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E01377BBB(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E01377B9D(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E013880D0(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E01376E03(0x13b00e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E013779A7(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t683 + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(_t683 + 0x10);
				_push(_t574);
				if(E013880D0(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E01376E03(0x13b00e0, 1);
					goto L4;
				}
			}
























































































              0x013783c0
              0x013783c5
              0x013783cf
              0x013783d5
              0x013783d8
              0x013783db
              0x013783dd
              0x013783e3
              0x013783ea
              0x013783f0
              0x0137841c
              0x0137841d
              0x01378423
              0x01378426
              0x013784b5
              0x013784bb
              0x013784c1
              0x013784d9
              0x013784d9
              0x013784df
              0x013784f7
              0x013784f7
              0x013784fa
              0x01378500
              0x0137851d
              0x01378522
              0x01378526
              0x01378530
              0x0137853b
              0x01378540
              0x01378542
              0x01378545
              0x01378548
              0x0137854a
              0x0137854c
              0x01378550
              0x01378552
              0x01378554
              0x01378554
              0x01378550
              0x0137855c
              0x01378561
              0x01378562
              0x0137856f
              0x01378570
              0x01378578
              0x0137857f
              0x01378582
              0x013785d9
              0x013785de
              0x013785e0
              0x013785e2
              0x013785e8
              0x013785ee
              0x013785f2
              0x013785f2
              0x013785f2
              0x013785f2
              0x01378584
              0x01378587
              0x0137858d
              0x0137858f
              0x01378591
              0x01378595
              0x01378597
              0x0137859e
              0x013785a3
              0x013785a4
              0x013785ab
              0x013785b0
              0x013785ba
              0x013785bc
              0x013785d2
              0x013785be
              0x013785c0
              0x013785c7
              0x013785c9
              0x013785c9
              0x013785bc
              0x01378595
              0x0137858f
              0x013785fb
              0x01378600
              0x01378618
              0x01378622
              0x01378625
              0x01378627
              0x0137862b
              0x0137862e
              0x01378631
              0x01378634
              0x0137864c
              0x0137864f
              0x01378654
              0x0137865a
              0x0137865b
              0x0137865d
              0x01378666
              0x01378666
              0x01378668
              0x0137866b
              0x01378675
              0x0137867c
              0x01378681
              0x01378683
              0x01379042
              0x01379042
              0x013784a2
              0x013784a3
              0x013784a8
              0x013784b2
              0x013784b2
              0x01378697
              0x0137869a
              0x013786a2
              0x013786a9
              0x013786ac
              0x013786c3
              0x013786c3
              0x013786c6
              0x013786c6
              0x013786cb
              0x013786ce
              0x013786d5
              0x013786d6
              0x013786d9
              0x013786dc
              0x013786e7
              0x013786e7
              0x013786ea
              0x013786f1
              0x013786f1
              0x013786f7
              0x013786fe
              0x013786ff
              0x0137870d
              0x01378712
              0x01378714
              0x0137874c
              0x0137874f
              0x0137875b
              0x0137875b
              0x0137875b
              0x0137875e
              0x0137875e
              0x01378768
              0x0137876d
              0x0137876f
              0x01378793
              0x01378793
              0x0137879a
              0x00000000
              0x00000000
              0x0137879c
              0x013787a6
              0x013787ab
              0x013787ad
              0x0137888c
              0x00000000
              0x0137888c
              0x013787b3
              0x013787b6
              0x013787c4
              0x013787c5
              0x013787c5
              0x013787c7
              0x013787d0
              0x013787d3
              0x013787df
              0x013787f2
              0x013787fc
              0x0137880e
              0x01378813
              0x0137881a
              0x013788b0
              0x013788b0
              0x013788b4
              0x013788ba
              0x013788bf
              0x013788c5
              0x013788ca
              0x013788d0
              0x013788d7
              0x013788dc
              0x013788dd
              0x013788df
              0x01378972
              0x01378974
              0x01378979
              0x0137897b
              0x013789cd
              0x013789d0
              0x013789d2
              0x013789f6
              0x013789f9
              0x013789f9
              0x01378a00
              0x01378a38
              0x01378a3a
              0x01378ff7
              0x01378ff7
              0x01378ffb
              0x01379001
              0x01379006
              0x0137900a
              0x0137900d
              0x01379010
              0x01379012
              0x01379012
              0x01379012
              0x01379012
              0x01379018
              0x01379018
              0x0137901c
              0x00000000
              0x00000000
              0x0137901e
              0x01379020
              0x013784a0
              0x013784a0
              0x00000000
              0x013784a0
              0x01379026
              0x0137902c
              0x0137903a
              0x0137903c
              0x00000000
              0x00000000
              0x00000000
              0x0137903c
              0x0137902e
              0x01379030
              0x00000000
              0x01379030
              0x01378a40
              0x01378a40
              0x01378a43
              0x01378a4a
              0x01378a5c
              0x01378a5c
              0x01378a5f
              0x01378a61
              0x01378aa8
              0x01378aa8
              0x01378aac
              0x01378aae
              0x01378ab6
              0x01378ab6
              0x01378aca
              0x01378ad0
              0x01378ad6
              0x01378adc
              0x01378aed
              0x01378b03
              0x01378b0e
              0x01378b17
              0x01378b1a
              0x01378b21
              0x01378b27
              0x01378b2c
              0x01378b2f
              0x01378b31
              0x01378b34
              0x01378b37
              0x01378b3a
              0x01378b3d
              0x01378b40
              0x01378b42
              0x01378be5
              0x01378be5
              0x01378be8
              0x01378bef
              0x01378bf6
              0x01378bfa
              0x01378c10
              0x01378c12
              0x01378c12
              0x01378c13
              0x01378c13
              0x01378c17
              0x01378c1a
              0x01378c1d
              0x01378c20
              0x01378d2c
              0x01378d33
              0x01378d35
              0x01378d3c
              0x01378d66
              0x01378d6b
              0x01378d7d
              0x01378d83
              0x01378d85
              0x01378d8b
              0x01378da5
              0x01378d3e
              0x01378d3e
              0x01378d44
              0x01378d4a
              0x01378d4b
              0x01378d4b
              0x01378d3c
              0x01378daa
              0x01378dac
              0x01378db1
              0x01378db8
              0x01378dea
              0x01378dea
              0x01378dea
              0x01378dec
              0x01378dee
              0x01378dee
              0x01378df5
              0x01378dff
              0x01378e06
              0x01378e25
              0x01378e25
              0x01378e29
              0x01378e2c
              0x01378e8d
              0x01378e8d
              0x01378e91
              0x01378e94
              0x01378ea7
              0x01378ea7
              0x01378ea7
              0x01378ea9
              0x01378ea9
              0x01378ead
              0x00000000
              0x00000000
              0x01378eb3
              0x01378eb6
              0x01378eba
              0x01378ec6
              0x01378ec6
              0x01378eca
              0x01378ee5
              0x01378ee5
              0x01378ee7
              0x01378efc
              0x01378efc
              0x01378efe
              0x01378fc2
              0x01378fc2
              0x01378fc5
              0x01378fcc
              0x01378fd4
              0x01378fdb
              0x01378fe0
              0x01378fe2
              0x01378feb
              0x01378feb
              0x01378fe2
              0x01378ff0
              0x00000000
              0x01378ff0
              0x01378f04
              0x01378f09
              0x01378f0b
              0x01378f0e
              0x01378f14
              0x01378f14
              0x01378f16
              0x01378f28
              0x01378f28
              0x01378f2e
              0x01378f33
              0x01378f3c
              0x01378f50
              0x01378f57
              0x01378f6a
              0x01378f6c
              0x01378f75
              0x01378f7a
              0x01378f80
              0x01378f8f
              0x01378fa2
              0x01378fb5
              0x01378fb7
              0x01378fba
              0x01378fbf
              0x00000000
              0x01378fbf
              0x01378f18
              0x01378f1e
              0x00000000
              0x00000000
              0x01378f20
              0x01378f26
              0x00000000
              0x00000000
              0x00000000
              0x01378f26
              0x01378f10
              0x01378f12
              0x00000000
              0x00000000
              0x00000000
              0x01378f12
              0x01378ee9
              0x01378eec
              0x01378ef3
              0x00000000
              0x00000000
              0x01378ef9
              0x00000000
              0x01378ef9
              0x01378ecc
              0x01378ece
              0x00000000
              0x00000000
              0x01378ed0
              0x01378ed7
              0x00000000
              0x00000000
              0x01378edd
              0x01378edf
              0x00000000
              0x00000000
              0x00000000
              0x01378edf
              0x01378ebc
              0x01378ec0
              0x00000000
              0x00000000
              0x00000000
              0x01378ec0
              0x01378e96
              0x01378e9d
              0x00000000
              0x00000000
              0x01378e9f
              0x01378ea1
              0x00000000
              0x00000000
              0x01378ea3
              0x00000000
              0x01378ea3
              0x01378e2e
              0x01378e32
              0x00000000
              0x00000000
              0x01378e34
              0x01378e36
              0x00000000
              0x00000000
              0x01378e38
              0x01378e3e
              0x01378e68
              0x01378e68
              0x01378e72
              0x01378e73
              0x01378e75
              0x01378e75
              0x01378e81
              0x01378e85
              0x01378e8a
              0x00000000
              0x01378e8a
              0x01378e40
              0x01378e46
              0x01378e50
              0x01378e50
              0x01378e57
              0x00000000
              0x00000000
              0x01378e59
              0x01378e63
              0x01378e64
              0x00000000
              0x01378e64
              0x01378e48
              0x01378e4e
              0x00000000
              0x00000000
              0x00000000
              0x01378e4e
              0x01378e08
              0x01378e0e
              0x00000000
              0x00000000
              0x01378e10
              0x01378e1a
              0x01378e1a
              0x01378e1c
              0x01378e1e
              0x01378e1e
              0x00000000
              0x01378e1c
              0x01378e12
              0x01378e18
              0x00000000
              0x00000000
              0x00000000
              0x01378e18
              0x01378df7
              0x00000000
              0x01378df7
              0x01378dcf
              0x01378ddb
              0x01378de0
              0x01378de2
              0x00000000
              0x00000000
              0x01378de4
              0x01378de6
              0x00000000
              0x01378de6
              0x01378c26
              0x01378c2c
              0x01378c2f
              0x01378c98
              0x01378c9d
              0x01378cae
              0x01378cb3
              0x01378cb6
              0x01378cb8
              0x01378d05
              0x01378d05
              0x01378d08
              0x01378d08
              0x01378d0f
              0x01378c64
              0x01378c64
              0x01378c66
              0x01378d22
              0x01378d22
              0x01378d22
              0x01378d24
              0x01378d24
              0x00000000
              0x01378d24
              0x01378c6c
              0x01378c6c
              0x01378c6e
              0x00000000
              0x00000000
              0x01378c76
              0x00000000
              0x01378c76
              0x01378d15
              0x01378d17
              0x00000000
              0x00000000
              0x01378c60
              0x01378c60
              0x00000000
              0x01378c60
              0x01378cba
              0x01378cc2
              0x00000000
              0x00000000
              0x01378cc4
              0x01378cca
              0x01378cd6
              0x01378cd7
              0x01378cda
              0x01378ce8
              0x01378ce9
              0x01378cf0
              0x01378cdc
              0x01378cdc
              0x01378cdc
              0x01378cf5
              0x01378cf5
              0x01378cf8
              0x01378cfa
              0x01378c5d
              0x01378c5d
              0x00000000
              0x01378c5d
              0x01378d00
              0x00000000
              0x01378d00
              0x01378c31
              0x01378c34
              0x00000000
              0x00000000
              0x01378c36
              0x01378c38
              0x01378c7c
              0x01378c7c
              0x01378c7e
              0x00000000
              0x00000000
              0x01378c8a
              0x01378c91
              0x00000000
              0x01378c91
              0x01378c3a
              0x01378c3d
              0x00000000
              0x00000000
              0x01378c3f
              0x01378c42
              0x00000000
              0x00000000
              0x01378c51
              0x01378c56
              0x01378c58
              0x01378c5a
              0x00000000
              0x01378c5a
              0x01378bfc
              0x01378bfe
              0x00000000
              0x00000000
              0x01378c02
              0x01378c03
              0x01378c07
              0x00000000
              0x00000000
              0x01378c0b
              0x01378c0c
              0x00000000
              0x01378c0c
              0x01378b48
              0x01378b4e
              0x00000000
              0x00000000
              0x01378b54
              0x01378b5a
              0x01378b60
              0x01378b62
              0x01378be2
              0x01378be2
              0x00000000
              0x01378be2
              0x01378b64
              0x01378b6e
              0x01378b6e
              0x01378b7e
              0x01378b81
              0x01378b83
              0x01378bdd
              0x01378bdd
              0x01378be0
              0x01378be0
              0x00000000
              0x01378be0
              0x01378b85
              0x01378b8b
              0x01378b8d
              0x01378b8f
              0x01378bb4
              0x01378bba
              0x01378bc6
              0x01378bd1
              0x01378bda
              0x00000000
              0x01378bda
              0x01378b91
              0x01378b9b
              0x01378b9d
              0x01378ba2
              0x01378ba8
              0x00000000
              0x00000000
              0x01378baa
              0x00000000
              0x00000000
              0x01378bac
              0x01378bb2
              0x00000000
              0x00000000
              0x00000000
              0x01378bb2
              0x01378b93
              0x01378b99
              0x00000000
              0x00000000
              0x00000000
              0x01378b99
              0x01378b87
              0x01378b89
              0x00000000
              0x00000000
              0x00000000
              0x01378b89
              0x01378b66
              0x01378b6c
              0x00000000
              0x00000000
              0x00000000
              0x01378b6c
              0x01378ab0
              0x01378ab0
              0x01378ab0
              0x01378ab0
              0x00000000
              0x01378ab0
              0x01378a67
              0x01378a6a
              0x01378a6b
              0x01378a6e
              0x01378a70
              0x01378a7b
              0x01378a7d
              0x01378a8c
              0x01378a9e
              0x01378a9e
              0x01378a7d
              0x00000000
              0x01378a6e
              0x01378a4c
              0x01378a53
              0x01378a5a
              0x01378aa5
              0x00000000
              0x01378aa5
              0x00000000
              0x01378a5a
              0x01378a06
              0x01378a09
              0x01378a10
              0x01378a17
              0x01378a1c
              0x01378a1e
              0x00000000
              0x00000000
              0x01378a20
              0x01378a22
              0x01378a25
              0x01378a25
              0x01378a2b
              0x01378a30
              0x00000000
              0x01378a30
              0x013789d4
              0x013789dd
              0x013789de
              0x013789e3
              0x013789e6
              0x013789e8
              0x013789f0
              0x013789f0
              0x013789f2
              0x00000000
              0x00000000
              0x00000000
              0x013789f4
              0x0137897d
              0x01378981
              0x01378987
              0x0137898a
              0x0137898e
              0x01378996
              0x01378997
              0x0137899a
              0x013789a2
              0x013789a3
              0x013789a6
              0x013789a8
              0x013789ae
              0x013789b4
              0x013789b6
              0x013789bc
              0x013789c3
              0x013789c6
              0x013789c6
              0x013789b4
              0x013789a6
              0x0137899a
              0x0137898e
              0x00000000
              0x01378981
              0x013788e5
              0x013788e8
              0x00000000
              0x00000000
              0x013788ee
              0x013788f1
              0x013788f4
              0x013788f6
              0x00000000
              0x00000000
              0x013788fc
              0x013788ff
              0x00000000
              0x00000000
              0x01378905
              0x01378908
              0x0137890f
              0x00000000
              0x00000000
              0x01378917
              0x01378921
              0x01378926
              0x01378928
              0x0137895f
              0x0137895f
              0x01378963
              0x013789ed
              0x00000000
              0x013789ed
              0x01378969
              0x0137896b
              0x0137896d
              0x00000000
              0x0137896d
              0x0137892a
              0x0137892e
              0x00000000
              0x00000000
              0x01378930
              0x01378938
              0x01378939
              0x01378940
              0x0137895a
              0x00000000
              0x0137895a
              0x01378820
              0x01378827
              0x00000000
              0x00000000
              0x0137882f
              0x0137883a
              0x0137883f
              0x01378842
              0x01378844
              0x00000000
              0x00000000
              0x01378846
              0x0137884d
              0x00000000
              0x00000000
              0x0137884f
              0x01378856
              0x01378860
              0x01378861
              0x01378898
              0x0137889a
              0x013788a6
              0x013788ab
              0x013788ad
              0x00000000
              0x013788ad
              0x01378863
              0x01378865
              0x01378873
              0x01378878
              0x0137887c
              0x01378882
              0x01378882
              0x01378793
              0x01378778
              0x0137877f
              0x01378784
              0x0137878b
              0x00000000
              0x0137878b
              0x0137871d
              0x01378723
              0x01378728
              0x0137872a
              0x00000000
              0x00000000
              0x0137872c
              0x01378733
              0x01378745
              0x01378747
              0x00000000
              0x01378747
              0x01378736
              0x0137873c
              0x01378741
              0x01378743
              0x00000000
              0x00000000
              0x00000000
              0x01378743
              0x013786ec
              0x013786ef
              0x00000000
              0x00000000
              0x00000000
              0x013786ef
              0x013786de
              0x013786e5
              0x00000000
              0x00000000
              0x00000000
              0x013786e5
              0x013786ae
              0x013786b5
              0x00000000
              0x00000000
              0x013786b7
              0x013786bb
              0x013786c1
              0x00000000
              0x00000000
              0x00000000
              0x013786c1
              0x0137865f
              0x01378662
              0x01378664
              0x00000000
              0x00000000
              0x00000000
              0x01378664
              0x01378636
              0x0137863c
              0x0137863f
              0x01378642
              0x01378644
              0x00000000
              0x0137864a
              0x0137864a
              0x0137864a
              0x00000000
              0x0137864a
              0x01378644
              0x01378508
              0x0137850e
              0x00000000
              0x00000000
              0x01378510
              0x01378517
              0x00000000
              0x00000000
              0x00000000
              0x01378517
              0x013784e1
              0x013784eb
              0x013784eb
              0x013784f1
              0x00000000
              0x013784f1
              0x013784e3
              0x013784e9
              0x00000000
              0x00000000
              0x00000000
              0x013784e9
              0x013784c3
              0x013784cd
              0x013784cd
              0x013784d3
              0x00000000
              0x013784d3
              0x013784c5
              0x013784cb
              0x00000000
              0x00000000
              0x00000000
              0x013784cb
              0x0137842c
              0x0137842f
              0x0137844e
              0x0137844e
              0x01378451
              0x00000000
              0x00000000
              0x01378457
              0x0137845e
              0x00000000
              0x00000000
              0x01378469
              0x0137846a
              0x0137846e
              0x0137846f
              0x01378470
              0x01378475
              0x01378477
              0x0137848c
              0x0137849d
              0x00000000
              0x01378479
              0x01378480
              0x00000000
              0x01378480
              0x01378477
              0x01378431
              0x01378438
              0x00000000
              0x0137843e
              0x01378449
              0x00000000
              0x01378449
              0x01378438
              0x013783f5
              0x01378413
              0x01378413
              0x00000000
              0x01378413
              0x013783f7
              0x013783f8
              0x013783fc
              0x013783fd
              0x01378405
              0x0137841a
              0x0137841a
              0x00000000
              0x01378407
              0x0137840e
              0x00000000
              0x0137840e

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog_memcmp
              • String ID:
              • API String ID: 3004599000-0
              • Opcode ID: a385addb50fbf46f63a1bab643e90229e8755d5dcbf08e60f40052453ada26e8
              • Instruction ID: d1372b80182a8fa3264e7b2dd4dae061e606fae596163f917d7ffb523a3fd8e5
              • Opcode Fuzzy Hash: a385addb50fbf46f63a1bab643e90229e8755d5dcbf08e60f40052453ada26e8
              • Instruction Fuzzy Hash: B9821A71904186EEEF36DF68C888BFABBA8BF15308F0845F9D9499B142D7395644CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138E643, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138E643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0138E64F); // executed
				return _t1;
			}




              0x0138e648
              0x0138e64e

              APIs
              • SetUnhandledExceptionFilter.KERNELBASE(Function_0001E64F,0138E084), ref: 0138E648
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: a5d484cc3283947f761647771ac20327c74a9e34ba02d99309c71a377f56337d
              • Instruction ID: 4d6d8fbd3fe0b72521701ad82b92df39073c7b6bb32f552a3cf23c683167614b
              • Opcode Fuzzy Hash: a5d484cc3283947f761647771ac20327c74a9e34ba02d99309c71a377f56337d
              • Instruction Fuzzy Hash:
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138626D, Relevance: .3, Instructions: 325COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 29a19975383796587081b97c1f68032ac336651628694357cdcd8a0cb87b8b2e
              • Instruction ID: 0db02091bf28119b3134b8de69f2483edabc6f67fa115fd1825ee8cb6f3f45c8
              • Opcode Fuzzy Hash: 29a19975383796587081b97c1f68032ac336651628694357cdcd8a0cb87b8b2e
              • Instruction Fuzzy Hash: 01D112B1A043468FDB14EF2CC88675BBBE5BF9431CF08056DE9449B642C734E958CB9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138A5D1, Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E0138A5D1(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				int _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				WCHAR* _t288;
				intOrPtr _t290;
				void* _t299;
				void* _t300;
				struct HWND__* _t302;
				signed int _t305;
				void* _t306;
				struct HWND__* _t308;
				void* _t310;
				long _t312;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;

				_t299 = __edx;
				_t285 = __ecx;
				E0138D870(E013A14F6, _t321);
				E0138D940();
				_t275 =  *(_t321 + 0x10);
				_t305 =  *(_t321 + 0xc);
				_t302 =  *(_t321 + 8);
				if(E013712D7(_t299, _t302, _t305, _t275,  *(_t321 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t306 = _t305 - 0x110;
					__eflags = _t306;
					if(__eflags == 0) {
						E0138C343(_t299, __eflags, __fp0, _t302);
						_t105 =  *0x13bb704;
						_t277 = 1;
						 *0x13b75d8 = _t302;
						 *0x13b75c8 = _t302;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t302, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x13c5d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t302, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t302, 0x68);
						 *(_t321 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E013895F8(_t321 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t302, 0x66);
						__eflags =  *0x13b9602;
						_t308 = _t111;
						 *(_t321 + 0x10) = _t308;
						_t286 = 0x13b9602;
						if( *0x13b9602 == 0) {
							_t286 = _t321 - 0x1164;
						}
						SetWindowTextW(_t308, _t286);
						E01389A32(_t308); // executed
						_push(0x13b75e4);
						_push(0x13b75e0);
						_push(0x13cce18);
						_push(_t302);
						 *0x13b75d6 = 0; // executed
						_t114 = E01389EEF(_t286, _t299, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x13b75d1 = _t277;
						}
						__eflags =  *0x13b75e4;
						if( *0x13b75e4 > 0) {
							_push(7);
							_push( *0x13b75e0);
							_push(_t302);
							E0138B4C7(_t299);
						}
						__eflags =  *0x13cde20;
						if( *0x13cde20 == 0) {
							SetDlgItemTextW(_t302, 0x6b, E0137DA42(_t286, 0xbf));
							SetDlgItemTextW(_t302, _t277, E0137DA42(_t286, 0xbe));
						}
						__eflags =  *0x13b75e4;
						if( *0x13b75e4 <= 0) {
							L103:
							__eflags =  *0x13b75d6;
							if( *0x13b75d6 != 0) {
								L114:
								__eflags =  *0x13b95fc - 2;
								if( *0x13b95fc == 2) {
									EnableWindow(_t308, 0);
								}
								__eflags =  *0x13b85f8;
								if( *0x13b85f8 != 0) {
									E01371294(_t302, 0x67, 0);
									E01371294(_t302, 0x66, 0);
								}
								_t115 =  *0x13b95fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x13b75d7;
									if( *0x13b75d7 == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t302);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0x13adf38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x13b75d1;
								if( *0x13b75d1 != 0) {
									SetDlgItemTextW(_t302, _t277, E0137DA42(_t286, 0x90));
								}
								goto L125;
							}
							__eflags =  *0x13cce0c;
							if( *0x13cce0c != 0) {
								goto L114;
							}
							__eflags =  *0x13b95fc;
							if( *0x13b95fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t310 = 0xaa;
							 *((short*)(_t321 - 0x9688)) = 0;
							do {
								__eflags = _t310 - 0xaa;
								if(_t310 != 0xaa) {
									L109:
									__eflags = _t310 - 0xab;
									if(__eflags != 0) {
										L111:
										E0137FA89(__eflags, _t321 - 0x9688, " ", 0x2000);
										E0137FA89(__eflags, _t321 - 0x9688, E0137DA42(_t286, _t310), 0x2000);
										goto L112;
									}
									__eflags =  *0x13cde20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x13cde20;
								if( *0x13cde20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t310 = _t310 + 1;
								__eflags = _t310 - 0xb0;
							} while (__eflags <= 0);
							_t286 =  *0x13b75e8; // 0x0
							E01388FE6(_t286, __eflags,  *0x13b0064,  *(_t321 + 0x14), _t321 - 0x9688, 0, 0);
							_t308 =  *(_t321 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0x13b75e0);
							_push(_t302); // executed
							E0138B4C7(_t299); // executed
							_t133 =  *0x13cce0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x13b95fc;
								if(__eflags == 0) {
									_t288 =  *0x13b75e8; // 0x0
									E01388FE6(_t288, __eflags,  *0x13b0064,  *(_t321 + 0x14), _t133, 0, 0);
									L01392B4E( *0x13cce0c);
									_pop(_t286);
								}
							}
							__eflags =  *0x13b95fc - _t277;
							if( *0x13b95fc == _t277) {
								L102:
								_push(_t277);
								_push( *0x13b75e0);
								_push(_t302);
								E0138B4C7(_t299);
								goto L103;
							} else {
								 *0x13adf3c(_t302);
								__eflags =  *0x13b95fc - _t277;
								if( *0x13b95fc == _t277) {
									goto L102;
								}
								__eflags =  *0x13b9601;
								if( *0x13b9601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x13b75e0);
								_push(_t302);
								E0138B4C7(_t299);
								__eflags =  *0x13cde18;
								if( *0x13cde18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x13b0064, L"LICENSEDLG", 0, E0138A3E1, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x13b75d7 = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t302, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t321 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t306 != 1;
					if(_t306 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x13b75d0;
						if( *0x13b75d0 != 0) {
							L23:
							_t312 = 0x800;
							GetDlgItemTextW(_t302, 0x66, _t321 - 0x2164, 0x800);
							__eflags =  *0x13b75d0;
							if( *0x13b75d0 == 0) {
								__eflags =  *0x13b75d1;
								if( *0x13b75d1 == 0) {
									_t152 = GetDlgItem(_t302, 0x68);
									__eflags =  *0x13b75cc;
									_t279 = _t152;
									if( *0x13b75cc == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0x13a22e4);
										_t312 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0x13b85f8;
									if( *0x13b85f8 == 0) {
										E0137FAB1(_t321 - 0x1164, _t321 - 0x2164, _t312);
										E0138C10F(_t285, _t321 - 0x1164, _t312);
										E01373E41(_t321 - 0x4288, 0x880, E0137DA42(_t285, 0xb9), _t321 - 0x1164);
										_t323 = _t323 + 0x10;
										_t163 = _t321 - 0x4288;
									} else {
										_t163 = E0137DA42(_t285, 0xba);
									}
									E0138C190(0, _t163);
									__eflags =  *0x13b9601;
									if( *0x13b9601 == 0) {
										E0138C7FC(_t321 - 0x2164);
									}
									_push(0);
									_push(_t321 - 0x2164);
									 *(_t321 + 0x17) = 0;
									_t166 = E01379D3A(0, _t321);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t300 = E01389A8D(_t321 - 0x2164);
										 *((char*)(_t321 + 0x13)) = _t300;
										__eflags = _t300;
										if(_t300 != 0) {
											L43:
											_t169 =  *(_t321 + 0x17);
											L44:
											_t285 =  *0x13b9601;
											__eflags = _t285;
											if(_t285 != 0) {
												L50:
												__eflags =  *((char*)(_t321 + 0x13));
												if( *((char*)(_t321 + 0x13)) != 0) {
													 *0x13b75dc = _t277;
													E013712B2(_t302, 0x67, 0);
													E013712B2(_t302, 0x66, 0);
													SetDlgItemTextW(_t302, _t277, E0137DA42(_t285, 0xe6)); // executed
													E013712B2(_t302, 0x69, _t277);
													SetDlgItemTextW(_t302, 0x65, 0x13a22e4); // executed
													_t315 = GetDlgItem(_t302, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x13b75e0);
													_push(_t302);
													E0138B4C7(_t300);
													_push(2);
													_push( *0x13b75e0);
													_push(_t302);
													E0138B4C7(_t300);
													_push(0x13cce18);
													_push(_t302);
													 *0x13cfe3c = _t277; // executed
													E0138C6FF(_t285, __eflags); // executed
													_push(6);
													_push( *0x13b75e0);
													 *0x13cfe3c = 0;
													_push(_t302);
													E0138B4C7(_t300);
													__eflags =  *0x13b75d7;
													if( *0x13b75d7 == 0) {
														__eflags =  *0x13b75cc;
														if( *0x13b75cc == 0) {
															__eflags =  *0x13cde2c;
															if( *0x13cde2c == 0) {
																_push(4);
																_push( *0x13b75e0);
																_push(_t302);
																E0138B4C7(_t300);
															}
														}
													}
													E01371294(_t302, _t277, _t277);
													 *0x13b75dc =  *0x13b75dc & 0x00000000;
													__eflags =  *0x13b75dc;
													_t182 =  *0x13b75d7; // 0x1
													goto L75;
												}
												__eflags = _t285;
												_t169 = (_t169 & 0xffffff00 | _t285 != 0x00000000) - 0x00000001 &  *(_t321 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t321 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t321 + 0x17);
													if( *(_t321 + 0x17) != 0) {
														_push(E0137DA42(_t285, 0x9a));
														E01373E41(_t321 - 0x5688, 0xa00, L"\"%s\"\n%s", _t321 - 0x2164);
														E01376E03(0x13b00e0, _t277);
														E01389735(_t302, _t321 - 0x5688, E0137DA42(0x13b00e0, 0x96), 0x30);
														 *0x13b75cc =  *0x13b75cc + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t321 - 0x1164, 0x800);
												_t285 = 0x13bb602;
												E0137E7AA(0x13bb602, _t321 - 0x164, 0x80);
												_push(0x13ba602);
												E01373E41(_t321 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t321 - 0x2164);
												_t323 = _t323 + 0x14;
												 *(_t321 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t321 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t321 - 0x38)) = _t321 - 0x1164;
												 *((intOrPtr*)(_t321 - 0x34)) = _t321 - 0x11ca0;
												 *(_t321 - 0x40) = _t302;
												 *((intOrPtr*)(_t321 - 0x3c)) = L"runas";
												 *(_t321 - 0x2c) = _t277;
												 *((intOrPtr*)(_t321 - 0x28)) = 0;
												 *((intOrPtr*)(_t321 - 0x30)) = 0x13b75f8;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t321 + 8) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t321 + 0x10) =  *(_t321 + 0x14);
												} else {
													 *0x13c5d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0137FAB1(0x13c5d0a, _t231, 0x2000);
													}
													E0138A24E(_t285, 0x13c9d0a, 7);
													E0138A24E(_t285, 0x13cad0a, 2);
													E0138A24E(_t285, 0x13cbd0a, 0x10);
													 *0x13cce0b = _t277;
													_t285 = 0x13ccd0a;
													E0137E90C(_t277, 0x13ccd0a, _t321 - 0x164);
													 *(_t321 + 0x10) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E0138EA80(_t238, 0x13c5d08, 0x7104);
													_t323 = _t323 + 0xc;
												}
												_t220 = ShellExecuteExW(_t321 - 0x48);
												E0137E957(_t321 - 0x164, 0x80);
												E0137E957(_t321 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t321 + 0x10);
													 *(_t321 + 0x17) = _t277;
													goto L64;
												} else {
													 *0x13adf20( *(_t321 - 0x10), 0x2710);
													_t71 = _t321 + 0xc;
													 *_t71 =  *(_t321 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t321 + 0x10);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t321 + 0xc) + 1;
														 *(_t321 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x13cde2c =  *(_t321 - 0x10);
													L64:
													__eflags =  *(_t321 + 8);
													if( *(_t321 + 8) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t321 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t300;
											if(_t300 == 0) {
												goto L52;
											}
											E01373E41(_t321 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t323 = _t323 + 0x10;
											E0137943C(_t321 - 0x3188);
											 *(_t321 - 4) =  *(_t321 - 4) & 0x00000000;
											_push(0x11);
											_push(_t321 - 0x1164);
											_t246 = E01379528(_t321 - 0x3188);
											 *((char*)(_t321 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t321 + 0x17) = _t277;
												}
											}
											_t39 = _t321 - 4;
											 *_t39 =  *(_t321 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E0137946E(_t321 - 0x3188); // executed
											_t285 =  *0x13b9601;
											goto L50;
										}
										_t248 = GetLastError();
										_t300 =  *((intOrPtr*)(_t321 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t321 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t321 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0x13b75d7 = 1;
									L75:
									__eflags =  *0x13b75cc;
									if( *0x13b75cc <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x13b75d0 = _t277;
									SetDlgItemTextW(_t302, _t277, E0137DA42(_t285, 0x90));
									_t290 =  *0x13b00e0; // 0x0
									__eflags = _t290 - 9;
									if(_t290 != 9) {
										__eflags = _t290 - 3;
										_t189 = ((0 | _t290 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t321 + 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E0137DA42(_t290, 0x96);
									E01389735(_t302, E0137DA42(_t290, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0x13b75d1;
							if( *0x13b75d1 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x13cfe3c;
						if( *0x13cfe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0x13cfe3d;
							_t254 = _t149 & 0xffffff00 |  *0x13cfe3d == 0x00000000;
							__eflags = _t254;
							 *0x13cfe3d = _t254;
							_t255 = E0137DA42((0 | _t254 != 0x00000000) + 0xe6, (0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t302, 1, _t255);
							while(1) {
								__eflags =  *0x13cfe3d;
								if( *0x13cfe3d == 0) {
									goto L125;
								}
								__eflags =  *0x13b75d7;
								if( *0x13b75d7 != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t321 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 = IsDialogMessageW(_t302, _t321 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t321 - 0x64);
										DispatchMessageW(_t321 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0x13b75dc;
						 *0x13b75d7 = 1;
						if( *0x13b75dc == 0) {
							goto L12;
						}
						__eflags =  *0x13b75cc;
						if( *0x13b75cc != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E01371217(_t302, E0137DA42(_t285, 0x64), _t321 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t302, 0x66, _t321 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}























































              0x0138a5d1
              0x0138a5d1
              0x0138a5d6
              0x0138a5e0
              0x0138a5e6
              0x0138a5ea
              0x0138a5ee
              0x0138a607
              0x0138a611
              0x0138a611
              0x0138a617
              0x0138acb3
              0x0138acb8
              0x0138acbf
              0x0138acc0
              0x0138acc6
              0x0138accc
              0x0138acce
              0x0138acd8
              0x0138acd8
              0x0138acde
              0x0138ace3
              0x0138ace5
              0x0138acf2
              0x0138acf2
              0x0138ad01
              0x0138ad10
              0x0138ad13
              0x0138ad25
              0x0138ad2d
              0x0138ad2f
              0x0138ad37
              0x0138ad39
              0x0138ad3c
              0x0138ad41
              0x0138ad43
              0x0138ad43
              0x0138ad4b
              0x0138ad52
              0x0138ad57
              0x0138ad5c
              0x0138ad61
              0x0138ad66
              0x0138ad67
              0x0138ad6e
              0x0138ad73
              0x0138ad75
              0x0138ad77
              0x0138ad77
              0x0138ad7d
              0x0138ad84
              0x0138ad86
              0x0138ad88
              0x0138ad8e
              0x0138ad8f
              0x0138ad8f
              0x0138ad94
              0x0138ad9b
              0x0138adab
              0x0138adbe
              0x0138adbe
              0x0138adc4
              0x0138adcb
              0x0138ae7c
              0x0138ae7c
              0x0138ae83
              0x0138af2c
              0x0138af2c
              0x0138af33
              0x0138af38
              0x0138af38
              0x0138af3e
              0x0138af45
              0x0138af4c
              0x0138af56
              0x0138af56
              0x0138af5b
              0x0138af60
              0x0138af62
              0x0138af64
              0x0138af6b
              0x0138af6d
              0x0138af6f
              0x0138af70
              0x0138af75
              0x0138af76
              0x0138af78
              0x0138af82
              0x0138af7a
              0x0138af7a
              0x0138af7a
              0x0138af78
              0x0138af6b
              0x0138af88
              0x0138af8f
              0x0138af9e
              0x0138af9e
              0x00000000
              0x0138af8f
              0x0138ae89
              0x0138ae90
              0x00000000
              0x00000000
              0x0138ae96
              0x0138ae9d
              0x00000000
              0x00000000
              0x0138aea3
              0x0138aea5
              0x0138aeaa
              0x0138aeb1
              0x0138aeb1
              0x0138aeb7
              0x0138aec2
              0x0138aec2
              0x0138aec8
              0x0138aed3
              0x0138aee4
              0x0138aefc
              0x00000000
              0x0138aefc
              0x0138aeca
              0x0138aed1
              0x00000000
              0x00000000
              0x00000000
              0x0138aed1
              0x0138aeb9
              0x0138aec0
              0x00000000
              0x00000000
              0x00000000
              0x0138af01
              0x0138af01
              0x0138af02
              0x0138af02
              0x0138af0a
              0x0138af24
              0x0138af29
              0x00000000
              0x0138add1
              0x0138add1
              0x0138add3
              0x0138add9
              0x0138adda
              0x0138addf
              0x0138ade4
              0x0138ade6
              0x0138ade8
              0x0138adef
              0x0138adf1
              0x0138ae05
              0x0138ae10
              0x0138ae15
              0x0138ae15
              0x0138adef
              0x0138ae16
              0x0138ae1c
              0x0138ae6f
              0x0138ae6f
              0x0138ae70
              0x0138ae76
              0x0138ae77
              0x00000000
              0x0138ae1e
              0x0138ae1f
              0x0138ae25
              0x0138ae2b
              0x00000000
              0x00000000
              0x0138ae2d
              0x0138ae34
              0x00000000
              0x00000000
              0x0138ae36
              0x0138ae38
              0x0138ae3e
              0x0138ae3f
              0x0138ae44
              0x0138ae4b
              0x00000000
              0x00000000
              0x0138ae61
              0x0138ae67
              0x0138ae69
              0x0138a75d
              0x0138a75d
              0x0138a763
              0x0138a763
              0x0138a687
              0x0138a688
              0x0138afa4
              0x0138afa4
              0x0138afa6
              0x0138afac
              0x0138afb6
              0x0138afb6
              0x00000000
              0x0138ae69
              0x0138ae1c
              0x0138adcb
              0x0138a61d
              0x0138a620
              0x0138a634
              0x0138a634
              0x00000000
              0x0138a634
              0x0138a625
              0x0138a625
              0x0138a628
              0x0138a693
              0x0138a69a
              0x0138a732
              0x0138a732
              0x0138a742
              0x0138a748
              0x0138a74f
              0x0138a769
              0x0138a770
              0x0138a784
              0x0138a78a
              0x0138a791
              0x0138a793
              0x0138a7a5
              0x0138a7b4
              0x0138a7b6
              0x0138a7b6
              0x0138a7bc
              0x0138a7c2
              0x0138a7c9
              0x0138a7e6
              0x0138a7f3
              0x0138a816
              0x0138a81b
              0x0138a81e
              0x0138a7cb
              0x0138a7d0
              0x0138a7d0
              0x0138a827
              0x0138a82c
              0x0138a833
              0x0138a83c
              0x0138a83c
              0x0138a841
              0x0138a84b
              0x0138a84c
              0x0138a84f
              0x0138a85c
              0x0138a85d
              0x0138a85f
              0x0138a872
              0x0138a87e
              0x0138a880
              0x0138a883
              0x0138a885
              0x0138a898
              0x0138a898
              0x0138a89b
              0x0138a89b
              0x0138a8a1
              0x0138a8a3
              0x0138a912
              0x0138a912
              0x0138a916
              0x0138ab5a
              0x0138ab60
              0x0138ab6a
              0x0138ab82
              0x0138ab88
              0x0138ab95
              0x0138aba0
              0x0138aba2
              0x0138aba4
              0x0138abaf
              0x0138abaf
              0x0138abb8
              0x0138abb8
              0x0138abbe
              0x0138abc0
              0x0138abc6
              0x0138abc7
              0x0138abcc
              0x0138abce
              0x0138abd4
              0x0138abd5
              0x0138abda
              0x0138abdf
              0x0138abe0
              0x0138abe6
              0x0138abeb
              0x0138abed
              0x0138abf3
              0x0138abfa
              0x0138abfb
              0x0138ac00
              0x0138ac07
              0x0138ac09
              0x0138ac10
              0x0138ac12
              0x0138ac19
              0x0138ac1b
              0x0138ac1d
              0x0138ac23
              0x0138ac24
              0x0138ac24
              0x0138ac19
              0x0138ac10
              0x0138ac2c
              0x0138ac31
              0x0138ac31
              0x0138ac38
              0x00000000
              0x0138ac38
              0x0138a91c
              0x0138a923
              0x0138a923
              0x0138a926
              0x0138a926
              0x0138a928
              0x0138a92c
              0x0138a92e
              0x0138aaf0
              0x0138aaf0
              0x0138aaf4
              0x0138ab04
              0x0138ab1d
              0x0138ab2b
              0x0138ab45
              0x0138ab4a
              0x0138ab4a
              0x0138a685
              0x0138a685
              0x00000000
              0x0138a685
              0x0138a942
              0x0138a953
              0x0138a959
              0x0138a95e
              0x0138a97b
              0x0138a980
              0x0138a983
              0x0138a990
              0x0138a997
              0x0138a9a0
              0x0138a9b8
              0x0138a9bb
              0x0138a9c2
              0x0138a9c5
              0x0138a9c8
              0x0138a9d5
              0x0138a9d7
              0x0138a9da
              0x0138a9dc
              0x0138aa67
              0x0138a9e2
              0x0138a9e2
              0x0138a9e9
              0x0138a9ef
              0x0138a9f1
              0x0138a9fe
              0x0138a9fe
              0x0138aa0a
              0x0138aa16
              0x0138aa22
              0x0138aa2d
              0x0138aa34
              0x0138aa39
              0x0138aa57
              0x0138aa5a
              0x0138aa5f
              0x0138aa5f
              0x0138aa6e
              0x0138aa82
              0x0138aa93
              0x0138aa98
              0x0138aa9a
              0x0138aad4
              0x0138aad7
              0x00000000
              0x0138aa9c
              0x0138aaa4
              0x0138aaaa
              0x0138aaaa
              0x0138aaaa
              0x0138aaae
              0x0138aab1
              0x0138aab1
              0x0138aab4
              0x00000000
              0x00000000
              0x0138aab8
              0x0138aac1
              0x0138aac2
              0x0138aac5
              0x0138aac8
              0x00000000
              0x00000000
              0x00000000
              0x0138aac8
              0x0138aacd
              0x0138aada
              0x0138aada
              0x0138aade
              0x0138aae1
              0x0138aaea
              0x0138aaea
              0x00000000
              0x0138aade
              0x0138aa9a
              0x0138a8a5
              0x0138a8a7
              0x00000000
              0x00000000
              0x0138a8c1
              0x0138a8c6
              0x0138a8cf
              0x0138a8d4
              0x0138a8de
              0x0138a8e0
              0x0138a8e7
              0x0138a8ec
              0x0138a8ef
              0x0138a8f1
              0x0138a8f3
              0x0138a8f5
              0x0138a8f8
              0x0138a8fa
              0x0138a8fa
              0x0138a8f8
              0x0138a8fd
              0x0138a8fd
              0x0138a8fd
              0x0138a907
              0x0138a90c
              0x00000000
              0x0138a90c
              0x0138a887
              0x0138a889
              0x0138a88c
              0x0138a88f
              0x00000000
              0x00000000
              0x0138a891
              0x0138a893
              0x00000000
              0x0138a861
              0x0138a861
              0x0138a863
              0x0138a866
              0x0138a86d
              0x0138a86f
              0x00000000
              0x0138a86f
              0x0138a868
              0x0138a86b
              0x00000000
              0x00000000
              0x00000000
              0x0138a86b
              0x0138a772
              0x0138a774
              0x0138a775
              0x0138a777
              0x0138ac3d
              0x0138ac3d
              0x0138ac44
              0x00000000
              0x00000000
              0x0138ac4a
              0x0138ac4c
              0x00000000
              0x00000000
              0x0138ac57
              0x0138ac65
              0x0138ac6b
              0x0138ac71
              0x0138ac74
              0x0138ac7f
              0x0138ac89
              0x0138ac89
              0x0138ac8e
              0x0138ac91
              0x0138ac76
              0x0138ac76
              0x0138ac76
              0x0138ac9a
              0x0138aca8
              0x00000000
              0x0138aca8
              0x0138a770
              0x0138a753
              0x0138a754
              0x0138a75b
              0x00000000
              0x00000000
              0x00000000
              0x0138a75b
              0x0138a6a0
              0x0138a6a7
              0x00000000
              0x0138a6ad
              0x0138a6ad
              0x0138a6b4
              0x0138a6b9
              0x0138a6bb
              0x0138a6ca
              0x0138a6d2
              0x0138a6d5
              0x0138a724
              0x0138a724
              0x0138a72b
              0x0138a72d
              0x0138a72d
              0x0138a6dd
              0x0138a6e4
              0x00000000
              0x00000000
              0x0138a6f3
              0x0138a6f9
              0x0138a6fb
              0x00000000
              0x0138a701
              0x0138a706
              0x0138a70c
              0x0138a70e
              0x0138a714
              0x0138a71e
              0x0138a71e
              0x00000000
              0x0138a70e
              0x0138a6fb
              0x00000000
              0x0138a724
              0x0138a6a7
              0x0138a62a
              0x0138a62a
              0x0138a62d
              0x0138a668
              0x0138a669
              0x0138a670
              0x0138a676
              0x00000000
              0x00000000
              0x0138a678
              0x0138a67f
              0x00000000
              0x00000000
              0x00000000
              0x0138a67f
              0x0138a62f
              0x0138a632
              0x0138a64b
              0x0138a650
              0x0138a652
              0x0138a65e
              0x0138a65e
              0x00000000
              0x0138a652
              0x00000000
              0x0138a632
              0x0138a609
              0x0138a60b
              0x00000000

              APIs
              • __EH_prolog.LIBCMT ref: 0138A5D6
                • Part of subcall function 013712D7: GetDlgItem.USER32(00000000,00003021), ref: 0137131B
                • Part of subcall function 013712D7: SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prologItemTextWindow
              • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
              • API String ID: 810644672-3472986185
              • Opcode ID: 112daea1b05b4f13c409f662b24ad6df59adbbcba640407bbc71b6ccc5ac38b9
              • Instruction ID: 7509b00859321cd6204be6198cafcca3f68079da8676734fbd135aab905b0649
              • Opcode Fuzzy Hash: 112daea1b05b4f13c409f662b24ad6df59adbbcba640407bbc71b6ccc5ac38b9
              • Instruction Fuzzy Hash: 4E42C171940349AEEB31BBA89C89FEE3B6CEB55B0CF40005AF705A71C5E7785948CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137FD49, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E0137FD49(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t195;
				long _t197;
				void* _t198;
				struct HINSTANCE__* _t201;
				signed int _t203;
				signed int _t205;
				void* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E0138D940();
				_push(_t207);
				_a3 = 0;
				_t201 = GetModuleHandleW(L"kernel32");
				if(_t201 == 0) {
					L5:
					_t118 =  *0x13ad080; // 0x13a2884
					_t208 = _t207 | 0xffffffff;
					_t202 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t202);
						E0137FAB1( &_a9160, E0137B943(_t223,  &_a772), _t202);
						_t195 = 0;
						_t203 = 0;
						do {
							if(E0137A995() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E0137FCFD( *((intOrPtr*)(_t210 + 0x18 + _t203 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E0137B9B9(_t227,  &_a772,  *((intOrPtr*)(_t210 + 0x1c + _t203 * 4)));
								_t130 = GetFileAttributesW( &_a760); // executed
								if(_t130 != _t208) {
									_t195 =  *((intOrPtr*)(_t210 + 0x18 + _t203 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t234 = _t195;
										if(_t195 == 0) {
											return _t130;
										}
										E0137B98D(_t234,  &_a768);
										if(E0137A995() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E01373E41( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t195);
											_t210 = _t210 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E01392B33( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E0137FCFD(L"dwmapi.dll");
											E0137FCFD(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E01373E41( &_a4852, 0x864, E0137DA42(_t185, 0xf1), _t195);
											_t210 = _t210 + 0x18;
											_t130 = E01389735(0,  &_a4848, E0137DA42(_t185, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t205 = 0;
									while(1) {
										_push(0x800);
										E0137B9B9(0,  &_a768,  *((intOrPtr*)(_t210 + 0x3c + _t205 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t208) {
											break;
										}
										_t205 = _t205 + 1;
										if(_t205 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t195 =  *((intOrPtr*)(_t210 + 0x38 + _t205 * 4));
									goto L30;
								}
							} else {
								_t130 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x24 + _t203 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t203 = _t203 + 1;
						} while (_t203 < 8);
						goto L24;
					}
					_t197 = E01396662(_t185, _t118);
					_pop(_t185);
					if(_t197 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t206 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t206 == _t208 || SetFilePointer(_t206, _t197, 0, 0) != _t197) {
						L13:
						CloseHandle(_t206);
						_t202 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t206,  &_a13260, 0x7ffe,  &_a4, 0);
						_t222 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_t185 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t198 = E0137F835(_t222);
							_t223 = _t198;
							if(_t198 == 0) {
								goto L13;
							}
							E0137FCFD( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t198);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t201, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x013a22e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x013a22e4);
				}
				_t177 = GetProcAddress(_t201, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}























              0x0137fd4e
              0x0137fd54
              0x0137fd5c
              0x0137fd67
              0x0137fd6b
              0x0137fdbe
              0x0137fdbe
              0x0137fdc3
              0x0137fdcc
              0x0137fdd1
              0x0137fdd9
              0x0137fde4
              0x0137fdec
              0x0137fdf4
              0x0137fdfc
              0x0137fe04
              0x0137fe0c
              0x0137fe14
              0x0137fe1c
              0x0137fe24
              0x0137fe2c
              0x0137fe34
              0x0137fe3c
              0x0137fe44
              0x0137fe4c
              0x0137fe54
              0x0137fe5c
              0x0137fe64
              0x0137fe6c
              0x0137fe74
              0x0137fe7c
              0x0137fe84
              0x0137fe8c
              0x0137fe94
              0x0137fe9c
              0x0137fea4
              0x0137feaf
              0x0137feba
              0x0137fec5
              0x0137fed0
              0x0137fedb
              0x0137fee6
              0x0137fef1
              0x0137fefc
              0x0137ff07
              0x0137ff12
              0x0137ff1d
              0x0137ff28
              0x0137ff33
              0x0137ff3e
              0x0137ff49
              0x0137ff54
              0x0137ff5f
              0x0137ff6a
              0x0137ff75
              0x0137ff80
              0x0137ff8b
              0x0137ff96
              0x0137ffa1
              0x0137ffac
              0x0137ffb7
              0x0137ffc2
              0x0137ffcd
              0x0137ffd8
              0x0137ffe3
              0x0137ffee
              0x0137fff9
              0x01380004
              0x0138000f
              0x0138001a
              0x01380025
              0x013800f3
              0x013800fe
              0x01380117
              0x01380122
              0x01380124
              0x01380126
              0x01380130
              0x0138013d
              0x0138013d
              0x01380132
              0x01380136
              0x01380136
              0x01380141
              0x01380163
              0x01380163
              0x01380174
              0x01380181
              0x01380185
              0x0138018f
              0x01380193
              0x01380198
              0x013801cc
              0x013801cc
              0x013801ce
              0x013802e5
              0x013802e5
              0x013801dc
              0x013801eb
              0x0138025a
              0x01380262
              0x01380276
              0x0138027b
              0x0138027e
              0x01380284
              0x01380286
              0x0138028f
              0x013802a4
              0x013802bc
              0x013802c7
              0x013802cd
              0x013802cd
              0x013801ed
              0x013801f2
              0x013801fc
              0x01380208
              0x01380210
              0x0138022a
              0x0138022f
              0x01380249
              0x01380249
              0x013802d5
              0x013802d5
              0x0138019a
              0x0138019c
              0x0138019c
              0x013801ad
              0x013801ba
              0x013801be
              0x00000000
              0x00000000
              0x013801c0
              0x013801c4
              0x00000000
              0x00000000
              0x00000000
              0x013801c6
              0x013801c8
              0x00000000
              0x013801c8
              0x01380143
              0x01380158
              0x0138015e
              0x01380161
              0x00000000
              0x00000000
              0x00000000
              0x01380161
              0x01380187
              0x01380187
              0x01380188
              0x00000000
              0x0138018d
              0x01380031
              0x01380033
              0x01380036
              0x00000000
              0x00000000
              0x01380047
              0x01380065
              0x01380069
              0x013800e7
              0x013800e8
              0x013800ee
              0x00000000
              0x0138007b
              0x01380090
              0x01380096
              0x01380098
              0x00000000
              0x00000000
              0x013800a0
              0x013800a2
              0x013800a7
              0x013800b6
              0x013800be
              0x013800dc
              0x013800e1
              0x013800e3
              0x013800e5
              0x00000000
              0x00000000
              0x013800c9
              0x013800ce
              0x013800da
              0x013800db
              0x013800db
              0x00000000
              0x013800dc
              0x01380069
              0x0137fd79
              0x0137fd7b
              0x0137fd84
              0x0137fd8b
              0x0137fd8d
              0x0137fd94
              0x0137fd94
              0x0137fd9c
              0x0137fda0
              0x0137fdb0
              0x0137fdb7
              0x0137fdb9
              0x0137fdb9
              0x00000000

              APIs
              • GetModuleHandleW.KERNEL32 ref: 0137FD61
              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0137FD79
              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0137FD9C
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01380047
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0138005F
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 01380071
              • ReadFile.KERNEL32(00000000,?,00007FFE,013A28D4,00000000), ref: 01380090
              • CloseHandle.KERNEL32(00000000), ref: 013800E8
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 013800FE
              • CompareStringW.KERNELBASE(00000400,00001001,013A2920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 01380158
              • GetFileAttributesW.KERNELBASE(?,?,013A28EC,00000800,?,00000000,?,00000800), ref: 01380181
              • GetFileAttributesW.KERNEL32(?,?,013A29AC,00000800), ref: 013801BA
                • Part of subcall function 0137FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0137FD18
                • Part of subcall function 0137FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0137E7F6,Crypt32.dll,?,0137E878,?,0137E85C,?,?,?,?), ref: 0137FD3A
              • _swprintf.LIBCMT ref: 0138022A
              • _swprintf.LIBCMT ref: 01380276
                • Part of subcall function 01373E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01373E54
              • AllocConsole.KERNEL32 ref: 0138027E
              • GetCurrentProcessId.KERNEL32 ref: 01380288
              • AttachConsole.KERNEL32(00000000), ref: 0138028F
              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 013802B5
              • WriteConsoleW.KERNEL32(00000000), ref: 013802BC
              • Sleep.KERNEL32(00002710), ref: 013802C7
              • FreeConsole.KERNEL32 ref: 013802CD
              • ExitProcess.KERNEL32 ref: 013802D5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
              • API String ID: 1201351596-3298887752
              • Opcode ID: 31c6546ccfed8aeff0650379032480a639c5bc02c894b4f79d5393dcbe408ca0
              • Instruction ID: c472222c8ecdf75e0a97bcc22c46a7f9cecbad3c3de52ef317aa7e55512c485e
              • Opcode Fuzzy Hash: 31c6546ccfed8aeff0650379032480a639c5bc02c894b4f79d5393dcbe408ca0
              • Instruction Fuzzy Hash: 08D16CB5148385ABD739EF54C848B9FBAECFB8570CF80491CF69896240CB74854DCBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138B4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
              Download Yara Rule
              C-Code - Quality: 49%
              			E0138B4C7(void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t291;
				WCHAR* _t293;
				void* _t296;
				WCHAR* _t297;
				void* _t302;

				_t291 = __edx;
				E0138D870(E013A150B, _t302);
				_t215 = 0x1bc80;
				E0138D940();
				if( *((intOrPtr*)(_t302 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t302 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t302 - 0xe);
				_push(_t302 - 0xd);
				_push(_t302 - 0x5c84);
				_push(_t302 - 0xfc8c);
				_push( *((intOrPtr*)(_t302 + 0xc)));
				_t215 = E0138A156();
				 *((intOrPtr*)(_t302 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t302 + 0x10));
					do {
						_t220 = _t302 - 0x5c84;
						_t296 = _t302 - 0x1bc8c;
						_t293 = 6;
						goto L4;
						L6:
						while(E01381410(_t302 - 0xfc8c,  *((intOrPtr*)(0x13ad618 + _t297 * 4))) != 0) {
							_t297 =  &(_t297[0]);
							if(_t297 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t297 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t297 * 4 +  &M0138C0D7))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t299 = 0x800;
								E013895F8(_t302 - 0x7c84, 0x800);
								E0137A188(E0137B625(_t302 - 0x7c84, _t302 - 0x5c84, _t302 - 0xdc8c, 0x800), _t278, _t302 - 0x8c8c, 0x800);
								 *(_t302 - 4) = _t293;
								E0137A2C2(_t302 - 0x8c8c, _t302 - 0xdc8c);
								E01376EF9(_t302 - 0x3c84);
								_push(_t293);
								_t286 = _t302 - 0x8c8c;
								_t238 = E0137A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t302 - 4) =  *(_t302 - 4) | 0xffffffff;
									E0137A19E(_t302 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E0137B1B7(_t286, __eflags, _t302 - 0x7c84, _t302 - 0x103c, _t299);
									E0137AEA5(__eflags, _t302 - 0x103c, _t299);
									_t301 = E01392B33(_t302 - 0x7c84);
									__eflags = _t301 - 4;
									if(_t301 < 4) {
										L18:
										_t266 = E0137B5E5(_t302 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E01392B33(_t302 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t302 + _t268 * 2 - 0x3c82)) = 0;
										E0138E920(_t293, _t302 - 0x3c, _t293, 0x1e);
										_t304 = _t304 + 0x10;
										 *((intOrPtr*)(_t302 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t302 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t302 - 0x34)) = _t302 - 0x3c84;
										_push(_t302 - 0x3c);
										 *0x13adef4();
										goto L20;
									}
									_t276 = E01392B33(_t302 - 0x103c);
									__eflags = _t301 - _t276;
									if(_t301 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t302 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t293);
										_t286 = _t302 - 0x8c8c;
										_t245 = E0137A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t299 = 0x800;
											L15:
											SetFileAttributesW(_t302 - 0x3c84, _t293);
											__eflags =  *((char*)(_t302 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t302 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t300 = _t293;
										_push(_t293);
										goto L24;
										L24:
										E01373E41(_t302 - 0x103c, 0x800, L"%s.%d.tmp", _t302 - 0x3c84);
										_t304 = _t304 + 0x14;
										_t252 = GetFileAttributesW(_t302 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t300 = _t300 + 1;
											__eflags = _t300;
											_push(_t300);
											goto L24;
										} else {
											_t255 = MoveFileW(_t302 - 0x3c84, _t302 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t302 - 0x103c, _t293, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E01392B33(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x13cce0c);
									__eax = E01392B5E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x13cce0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E013966ED(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L01392B4E(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0x13b9602 - __di;
								if( *0x13b9602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E01392B33(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E0137FAB1(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E01390D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0x13b9602;
											E0137FAB1(0x13b9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E01389FFC(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0x13adf7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x13b9602); // executed
											__eax = __ebp - 0x103c;
											__eax = E01392B69(__ebp - 0x103c, 0x13b9602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x13adea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0x13adea4();
												_push( *(__ebp - 0x18));
												 *0x13ade84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E01392B33(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E0137FA89(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E01392B33(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E0137FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E0137FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0x13b95fc - 1;
								__eflags = __eax - 0x13b95fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0x13b75d2 = __cl;
									 *0x13b75d3 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x13b75d2 = __cl;
									L83:
									 *0x13b75d3 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0x13b75d2 = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E01392B69(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x13b95fc;
										if( *0x13b95fc == 0) {
											 *0x13b95fc = 2;
										}
										 *0x13b85f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E0137AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x13ad5f8);
									__ebp - 0x7c84 = E01373E41(0x13b85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E01379E6B(0x13b85fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x13b85fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0x13c5d02;
								if( *0x13c5d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E01390BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E0137FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E0137FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E01389C4F(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E01389735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x13b75d7 = 1;
										 *0x13b85fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E0137FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E0139668C(__ebx, __edi);
										_pop(__ecx);
										 *0x13cde1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x13cde18 = E0138A2AE(__ecx, __edx, __eflags);
								}
								 *0x13c5d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0x13cde20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E0138C431();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E013959C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x13cad0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E0137FAB1();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0x13c9d0a);
										_push(__eax);
										__eax = E0137FAB1();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x13cbd0a);
										_push(__eax);
										__eax = E0137FAB1();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E01394D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E01379E6B(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E01379E6B(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E01394D7E();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E01394D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E01390BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E01394D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E0137AED7();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E0137AED7();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E0138A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E0137AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E0137FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E0137AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E01394D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E0137FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E0137B153(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E0137FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E01379D3A(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E01394D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E0137B98D(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E01389D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E01389450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0x13adef8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x13b9600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E013959C0( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x13b75d4 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x13b75d5 = 1;
									} else {
										__eax = 0;
										 *0x13b75d4 = __al;
										 *0x13b75d5 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0x13cde21 = 1;
								__eax = __eax + 0x13cde21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0x13ad5fc = E013813FC();
								}
								goto L167;
						}
						L4:
						_t220 = E01389E24(_t220, _t296);
						_t296 = _t296 + 0x2000;
						_t293 = _t293 - 1;
						if(_t293 != 0) {
							goto L4;
						} else {
							_t297 = _t293;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t302 - 0xe; // 0xffffa36e
						_t206 = _t302 - 0xd; // 0xffffa36f
						_t207 = _t302 - 0x5c84; // 0xffff46f8
						_t208 = _t302 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t302 + 0xc)));
						_t215 = E0138A156();
						_t278 =  *((intOrPtr*)(_t302 + 0x10));
						 *((intOrPtr*)(_t302 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}











              0x0138b4c7
              0x0138b4cc
              0x0138b4d1
              0x0138b4d6
              0x0138b4df
              0x0138c0c7
              0x0138c0ca
              0x0138c0d4
              0x0138c0d4
              0x0138b4e5
              0x0138b4ed
              0x0138b4f1
              0x0138b4f8
              0x0138b4ff
              0x0138b500
              0x0138b503
              0x0138b50a
              0x0138b50f
              0x0138b516
              0x0138b51b
              0x0138b51d
              0x0138b523
              0x0138b529
              0x0138b529
              0x00000000
              0x0138b53e
              0x0138b555
              0x0138b559
              0x00000000
              0x0138b55b
              0x00000000
              0x0138b55b
              0x0138b559
              0x0138b563
              0x00000000
              0x00000000
              0x0138b569
              0x00000000
              0x0138b570
              0x0138b573
              0x00000000
              0x00000000
              0x0138b579
              0x0138b586
              0x0138b5ac
              0x0138b5b7
              0x0138b5c1
              0x0138b5cc
              0x0138b5d1
              0x0138b5d9
              0x0138b5df
              0x0138b5e4
              0x0138b5e6
              0x0138b74b
              0x0138b74b
              0x0138b755
              0x00000000
              0x0138b5ec
              0x0138b5f2
              0x0138b614
              0x0138b623
              0x0138b630
              0x0138b641
              0x0138b644
              0x0138b647
              0x0138b65a
              0x0138b661
              0x0138b666
              0x0138b668
              0x00000000
              0x00000000
              0x0138b66e
              0x0138b675
              0x0138b67a
              0x0138b67f
              0x0138b68b
              0x0138b690
              0x0138b693
              0x0138b69a
              0x0138b69c
              0x0138b69d
              0x0138b6a7
              0x0138b6ad
              0x0138b6ae
              0x00000000
              0x0138b6ae
              0x0138b650
              0x0138b656
              0x0138b658
              0x00000000
              0x00000000
              0x00000000
              0x0138b6b4
              0x0138b6bb
              0x0138b6bd
              0x0138b6c0
              0x0138b730
              0x0138b730
              0x0138b738
              0x0138b73e
              0x0138b743
              0x0138b745
              0x0138b5f4
              0x0138b5f9
              0x0138b601
              0x0138b607
              0x0138b60e
              0x00000000
              0x00000000
              0x00000000
              0x0138b60e
              0x00000000
              0x0138b745
              0x0138b6c9
              0x0138b6cf
              0x0138b6d1
              0x00000000
              0x0138b6d3
              0x0138b6d3
              0x0138b6d5
              0x0138b6d6
              0x0138b6da
              0x0138b6f2
              0x0138b6f7
              0x0138b701
              0x0138b703
              0x0138b706
              0x0138b6d8
              0x0138b6d8
              0x0138b6d9
              0x00000000
              0x0138b708
              0x0138b716
              0x0138b71c
              0x0138b71e
              0x0138b72a
              0x0138b72a
              0x00000000
              0x0138b71e
              0x0138b706
              0x0138b6d1
              0x00000000
              0x0138b75f
              0x0138b761
              0x0138b7b4
              0x0138b7b9
              0x0138b7c2
              0x0138b7c3
              0x0138b7c9
              0x0138b7ce
              0x0138b7d1
              0x0138b7d3
              0x0138b7d5
              0x0138b7da
              0x0138b7dc
              0x0138b7de
              0x0138b7de
              0x0138b7e0
              0x0138b7e0
              0x0138b7e5
              0x0138b7ea
              0x0138b7eb
              0x0138b7eb
              0x0138b7ec
              0x0138b7ee
              0x0138b7f5
              0x0138b7fa
              0x0138b7ee
              0x00000000
              0x00000000
              0x0138b800
              0x0138b802
              0x0138b812
              0x0138b812
              0x00000000
              0x00000000
              0x0138b81d
              0x0138b81f
              0x00000000
              0x00000000
              0x0138b825
              0x0138b82c
              0x00000000
              0x00000000
              0x0138b832
              0x0138b834
              0x0138b83a
              0x0138b83c
              0x0138b843
              0x0138b844
              0x0138b84b
              0x0138b84d
              0x0138b84d
              0x0138b854
              0x0138b859
              0x0138b85f
              0x0138b861
              0x00000000
              0x0138b867
              0x0138b867
              0x0138b86a
              0x0138b86c
              0x0138b86d
              0x0138b870
              0x0138b899
              0x0138b899
              0x0138b89c
              0x0138b981
              0x0138b98a
              0x0138b98f
              0x0138b98f
              0x0138b991
              0x0138b991
              0x0138b993
              0x0138b995
              0x0138b99c
              0x0138b9a1
              0x0138b9a2
              0x0138b9a3
              0x0138b9a5
              0x0138b9a7
              0x0138b9ab
              0x0138b9ad
              0x0138b9ad
              0x0138b9af
              0x0138b9af
              0x0138b9ab
              0x0138b9b3
              0x0138b9b9
              0x0138b9c6
              0x0138b9cd
              0x0138b9dd
              0x0138b9e7
              0x0138b9ef
              0x0138b9fb
              0x0138b9fd
              0x0138ba05
              0x0138ba0a
              0x0138ba0b
              0x0138ba0c
              0x0138ba0e
              0x0138ba1b
              0x0138ba24
              0x0138ba24
              0x00000000
              0x0138ba0e
              0x0138b8a2
              0x0138b8a5
              0x0138b8b2
              0x0138b8b2
              0x0138b8b5
              0x0138b8b7
              0x0138b8b8
              0x0138b8ba
              0x0138b8bb
              0x0138b8c0
              0x0138b8c5
              0x0138b8cb
              0x0138b8cd
              0x0138b8cf
              0x0138b8d2
              0x0138b8d9
              0x0138b8da
              0x0138b8e0
              0x0138b8e1
              0x0138b8e4
              0x0138b8e5
              0x0138b8e6
              0x0138b8eb
              0x0138b8ee
              0x0138b8f4
              0x0138b8fd
              0x0138b900
              0x0138b905
              0x0138b907
              0x0138b909
              0x0138b90b
              0x0138b90b
              0x0138b90d
              0x0138b90d
              0x0138b90f
              0x0138b90f
              0x0138b917
              0x0138b91e
              0x0138b920
              0x0138b927
              0x0138b92d
              0x0138b92f
              0x0138b930
              0x0138b938
              0x0138b947
              0x0138b947
              0x0138b938
              0x0138b952
              0x0138b954
              0x0138b963
              0x0138b969
              0x0138b96f
              0x0138b97a
              0x0138b97a
              0x00000000
              0x0138b96f
              0x0138b8a7
              0x0138b8ac
              0x00000000
              0x00000000
              0x00000000
              0x0138b8ac
              0x0138b872
              0x0138b876
              0x00000000
              0x00000000
              0x0138b878
              0x0138b87b
              0x0138b87d
              0x0138b880
              0x00000000
              0x0138b886
              0x0138b88f
              0x00000000
              0x0138b88f
              0x0138b880
              0x00000000
              0x0138ba2b
              0x0138ba2c
              0x0138ba31
              0x0138ba33
              0x0138ba36
              0x0138ba36
              0x00000000
              0x0138ba6c
              0x0138ba73
              0x0138ba75
              0x0138ba75
              0x0138ba77
              0x0138baa6
              0x0138baa6
              0x0138baac
              0x00000000
              0x0138baac
              0x0138ba79
              0x0138ba79
              0x0138ba7c
              0x0138ba95
              0x0138ba9b
              0x0138ba9b
              0x00000000
              0x0138ba9b
              0x0138ba7e
              0x0138ba7e
              0x0138ba81
              0x00000000
              0x00000000
              0x0138ba83
              0x0138ba83
              0x0138ba86
              0x00000000
              0x00000000
              0x0138ba8c
              0x00000000
              0x00000000
              0x0138baf9
              0x0138bafc
              0x00000000
              0x00000000
              0x0138bafe
              0x0138bb0a
              0x0138bb0f
              0x0138bb10
              0x0138bb11
              0x0138bb13
              0x00000000
              0x00000000
              0x0138bb15
              0x00000000
              0x00000000
              0x0138bb5b
              0x0138bb5e
              0x0138bcdf
              0x0138bcdf
              0x0138bce2
              0x0138bce8
              0x0138bcef
              0x0138bcf1
              0x0138bcf1
              0x0138bcfb
              0x0138bcfb
              0x00000000
              0x0138bce2
              0x0138bb64
              0x0138bb6a
              0x0138bb78
              0x0138bb84
              0x0138bb86
              0x0138bb88
              0x0138bb8d
              0x0138bb8d
              0x0138bba5
              0x0138bbb2
              0x0138bbb7
              0x0138bbb9
              0x00000000
              0x00000000
              0x0138bb8b
              0x0138bb8b
              0x0138bb8c
              0x0138bb8c
              0x0138bbc5
              0x0138bbcb
              0x0138bbd3
              0x00000000
              0x00000000
              0x0138bbd9
              0x0138bbe0
              0x00000000
              0x00000000
              0x0138bbe6
              0x0138bbe8
              0x0138bbef
              0x0138bbf5
              0x0138bbf7
              0x0138bbf8
              0x0138bbfd
              0x0138bbfe
              0x0138bbff
              0x0138bc01
              0x0138bc55
              0x0138bc55
              0x0138bc5d
              0x0138bc6b
              0x0138bc7c
              0x0138bc8a
              0x0138bc8a
              0x0138bc96
              0x0138bc9b
              0x0138bc9d
              0x0138bcad
              0x0138bcb7
              0x0138bcbc
              0x0138bcbf
              0x00000000
              0x0138bcc5
              0x0138bcca
              0x0138bcca
              0x0138bccc
              0x0138bcd3
              0x0138bcd9
              0x00000000
              0x0138bcd9
              0x0138bcbf
              0x0138bc03
              0x0138bc05
              0x0138bc07
              0x0138bc0e
              0x00000000
              0x00000000
              0x0138bc10
              0x0138bc12
              0x0138bc18
              0x0138bc18
              0x0138bc1c
              0x00000000
              0x00000000
              0x0138bc1e
              0x0138bc1f
              0x0138bc25
              0x0138bc28
              0x0138bc2a
              0x0138bc2d
              0x00000000
              0x00000000
              0x00000000
              0x0138bc2f
              0x0138bc3c
              0x0138bc46
              0x0138bc4b
              0x0138bc4b
              0x0138bc4d
              0x00000000
              0x00000000
              0x0138bd07
              0x0138bd0a
              0x0138bd0c
              0x0138bd13
              0x0138bd15
              0x0138bd1b
              0x0138bd1c
              0x0138bd21
              0x0138bd22
              0x0138bd22
              0x0138bd27
              0x0138bd2a
              0x0138bd30
              0x0138bd30
              0x0138bd35
              0x00000000
              0x00000000
              0x0138bd41
              0x0138bd44
              0x0138bb25
              0x0138bb25
              0x00000000
              0x0138bb25
              0x0138bd4a
              0x0138bb16
              0x0138bb16
              0x0138bb1c
              0x0138bb1d
              0x0138bb20
              0x00000000
              0x00000000
              0x0138bd51
              0x0138bd54
              0x00000000
              0x00000000
              0x0138bd5a
              0x0138bd5c
              0x0138bd63
              0x0138bd6b
              0x0138bd71
              0x0138bd76
              0x0138bd79
              0x0138bdae
              0x0138bdb3
              0x0138bdb9
              0x0138bdba
              0x0138bdbf
              0x0138bd7b
              0x0138bd7b
              0x0138bd7e
              0x0138bd84
              0x0138bd9a
              0x0138bd9f
              0x0138bda0
              0x0138bda5
              0x0138bd86
              0x0138bd86
              0x0138bd8b
              0x0138bd8c
              0x0138bd91
              0x0138bd91
              0x0138bd84
              0x0138bdc6
              0x0138bdc8
              0x0138bdcf
              0x0138bddd
              0x0138bde4
              0x0138bde9
              0x0138bdea
              0x0138bdeb
              0x0138bded
              0x0138bdee
              0x0138bdf5
              0x0138be45
              0x0138be4a
              0x0138be4c
              0x00000000
              0x00000000
              0x0138be52
              0x0138be54
              0x0138be5a
              0x0138be61
              0x00000000
              0x00000000
              0x0138be63
              0x0138be65
              0x0138be66
              0x0138be66
              0x0138be69
              0x0138be6c
              0x0138be76
              0x0138be76
              0x0138be78
              0x0138be7a
              0x0138be84
              0x0138be89
              0x0138be8b
              0x0138bec9
              0x0138becc
              0x0138becc
              0x0138bece
              0x0138becf
              0x0138becf
              0x00000000
              0x0138becf
              0x0138be8d
              0x0138be8f
              0x0138be90
              0x0138be92
              0x0138be95
              0x0138beaa
              0x0138beac
              0x0138bead
              0x0138bead
              0x0138beb0
              0x0138beb0
              0x0138beb5
              0x0138beb6
              0x0138bebc
              0x0138bebc
              0x0138bebd
              0x0138bec2
              0x0138bec3
              0x0138bec4
              0x00000000
              0x0138bec4
              0x0138be97
              0x0138be9e
              0x0138bea1
              0x0138bea2
              0x00000000
              0x0138bea2
              0x0138be6e
              0x0138be70
              0x0138be71
              0x0138be74
              0x00000000
              0x00000000
              0x00000000
              0x0138bed1
              0x0138bed1
              0x0138bed4
              0x0138bed4
              0x0138bed9
              0x0138bedb
              0x0138bedd
              0x0138bedd
              0x0138bedf
              0x0138bedf
              0x00000000
              0x0138bdf7
              0x0138bdfe
              0x0138be0a
              0x0138be10
              0x0138be11
              0x0138be12
              0x0138be17
              0x0138be1a
              0x0138be1c
              0x0138be22
              0x0138be24
              0x0138be32
              0x0138be37
              0x0138be38
              0x0138be38
              0x0138bee2
              0x0138bee2
              0x0138beea
              0x0138beef
              0x0138bef1
              0x0138bef2
              0x0138bef8
              0x0138bef9
              0x0138beff
              0x0138bf00
              0x0138bf00
              0x0138bf05
              0x0138bf06
              0x0138bf0c
              0x0138bf0d
              0x0138bf13
              0x0138bf14
              0x0138bf19
              0x0138bf21
              0x0138bf2d
              0x0138bf2d
              0x0138bf3a
              0x0138bf3f
              0x0138bf47
              0x0138bf51
              0x0138bf5e
              0x0138bf65
              0x0138bf65
              0x0138bf71
              0x0138bf78
              0x0138bf7d
              0x0138bf85
              0x0138bf8b
              0x0138bf8c
              0x0138bf8d
              0x0138bf8f
              0x0138bf8f
              0x0138bfa4
              0x0138bfa9
              0x0138bfb5
              0x0138bfb7
              0x0138bfc8
              0x0138bfd5
              0x00000000
              0x0138bfb9
              0x0138bfc4
              0x0138bfc6
              0x0138bfda
              0x0138bfda
              0x0138bfdc
              0x0138bfe2
              0x0138bfe8
              0x0138bff6
              0x0138bffb
              0x0138bffc
              0x0138c004
              0x0138c009
              0x0138c010
              0x0138c016
              0x0138c018
              0x0138c01e
              0x0138c024
              0x0138c026
              0x0138c02f
              0x0138c032
              0x0138c034
              0x0138c03d
              0x0138c040
              0x0138c046
              0x0138c049
              0x0138c052
              0x0138c061
              0x0138c066
              0x0138c06e
              0x0138c070
              0x0138c071
              0x0138c077
              0x0138c078
              0x0138c07a
              0x0138c07f
              0x0138c07f
              0x00000000
              0x0138c06e
              0x00000000
              0x0138bfc6
              0x0138bfb7
              0x00000000
              0x0138c087
              0x0138c08a
              0x0138c08c
              0x0138c08c
              0x00000000
              0x00000000
              0x0138bab8
              0x0138bac0
              0x0138bac6
              0x0138bac9
              0x0138baed
              0x0138bacb
              0x0138bacb
              0x0138bace
              0x0138bae1
              0x0138bad0
              0x0138bad0
              0x0138bad2
              0x0138bad7
              0x0138bad7
              0x0138bace
              0x00000000
              0x00000000
              0x0138bb31
              0x0138bb32
              0x0138bb37
              0x0138bb37
              0x0138bb37
              0x0138bb3a
              0x0138bb3f
              0x0138bb45
              0x0138bb45
              0x0138bb4b
              0x0138bb51
              0x0138bb51
              0x00000000
              0x00000000
              0x0138b52a
              0x0138b52c
              0x0138b531
              0x0138b537
              0x0138b53a
              0x00000000
              0x0138b53c
              0x0138b53c
              0x00000000
              0x0138b53c
              0x0138c093
              0x0138c093
              0x0138c098
              0x0138c09c
              0x0138c0a0
              0x0138c0a7
              0x0138c0ae
              0x0138c0b1
              0x0138c0b6
              0x0138c0b9
              0x0138c0bc
              0x0138c0c6

              APIs
              • __EH_prolog.LIBCMT ref: 0138B4CC
                • Part of subcall function 0138A156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0138A21E
              • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0138ADDF,?,00000000), ref: 0138B601
              • GetFileAttributesW.KERNEL32(?), ref: 0138B6BB
              • DeleteFileW.KERNEL32(?), ref: 0138B6C9
              • SetWindowTextW.USER32(?,?), ref: 0138B812
              • _wcsrchr.LIBVCRUNTIME ref: 0138B99C
              • GetDlgItem.USER32(?,00000066), ref: 0138B9D7
              • SetWindowTextW.USER32(00000000,?), ref: 0138B9E7
              • SendMessageW.USER32(00000000,00000143,00000000,013B9602), ref: 0138B9FB
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0138BA24
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
              • API String ID: 3676479488-312220925
              • Opcode ID: c84a2ce4d362c7ed7638d264bc4b70cb87b10f1a52fd60bcae362ed5ffe5480e
              • Instruction ID: 214580dd152973d8a4014764b3427b103bd77771150d6d85ebe3a95fd0497652
              • Opcode Fuzzy Hash: c84a2ce4d362c7ed7638d264bc4b70cb87b10f1a52fd60bcae362ed5ffe5480e
              • Instruction Fuzzy Hash: 96E1767290021AAAEF25FBB8DD84EDFB77CAF05358F0440A6E559E3144EE749B448F60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137CFD0, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E0137CFD0(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				signed int _t318;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t318 = __ecx;
				_t392 = _t391 - 0x6c;
				E0138D870(E013A13DF, _t390);
				E0138D940();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = _t318;
				_t390[0x11] = _t196;
				_t390[0x12] = _t387;
				_t197 = E01390BB8(_t318);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E0137FAB1(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E0137B943(_t396, _t390 - 0x1264))) = 0;
					E0137FA89(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E0137943C(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E01379768(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E0137946E(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0x13ad5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E01395030(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0137CC62);
						E01395030(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E0137CBC7);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E01379B57();
							_t294 = E01379979(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E01379A4C(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E01395460(_t390 - 0x4286 + _t384, 0x13a261c, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E01394DA0(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E01395460(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E01379A4C(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E01392B53(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E01379979(_t370, _t382, 0x200000);
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E01392B53(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E01380FDE(_t382, _t212, _t330 + 1);
							L01392B4E(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E0137FA56(_t390 - 0xd4, 0x13a2624, 0x64);
							_push(0x20002);
							_t218 = E01392B53(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E0137CB33(_t387, _t371, _t390, _t218, _t336);
									L01392B4E(_t390[0x1a]);
									L01392B4E(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0x13b0124 =  *((intOrPtr*)(_t387 + 0x28));
										E01395030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E0137CD08);
										E01395030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E0137CD37);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E01383393(_t387 + 0x3c, _t371, _t316);
										E01383393(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E0137CB33(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E0137F91A( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E0137FAB1(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E01394E1D(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E013811FA(_t390 - 0x264, _t390 - 0x138, 0x64);
											E0137FA56(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E0137FA2F(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E0137FA56(_t390, _t390 - 0x70, 0x32);
											_t262 = E01394E71(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0137CCED);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0x13ad150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t390[0x18] = E01392B33( *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)));
											_t272 = E01394DA0(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												_t132 =  &(_t390[0x15]); // 0x9
												__eflags = _t351 -  *_t132;
												if(_t351 !=  *_t132) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E013811FA(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E0137D9DC(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E01392B69(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E0137FA56(_t390 - 0xd4, 0x13a2624, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L01392B4E(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E01383393(_t387, _t370, _t380);
						E01383393(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0x13ad5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}








































































              0x0137cfd0
              0x0137cfd0
              0x0137cfd1
              0x0137cfd9
              0x0137cfe3
              0x0137cfed
              0x0137cfee
              0x0137cfef
              0x0137cff2
              0x0137cff4
              0x0137cff7
              0x0137cffa
              0x0137d000
              0x0137d002
              0x0137d005
              0x0137d00b
              0x0137d047
              0x0137d00d
              0x0137d015
              0x0137d02d
              0x0137d037
              0x0137d037
              0x0137d052
              0x0137d057
              0x0137d05f
              0x0137d062
              0x0137d070
              0x0137d42d
              0x0137d433
              0x0137d43e
              0x0137d449
              0x0137d076
              0x0137d076
              0x0137d078
              0x0137d07e
              0x0137d09c
              0x0137d0a8
              0x0137d0ba
              0x0137d0bf
              0x0137d0c2
              0x0137d0c5
              0x0137d0c8
              0x0137d0cb
              0x0137d0ce
              0x0137d0e2
              0x0137d0f7
              0x0137d0fc
              0x0137d0ff
              0x0137d101
              0x0137d101
              0x0137d104
              0x0137d109
              0x0137d1c8
              0x0137d1c8
              0x0137d1cb
              0x0137d1ce
              0x0137d1df
              0x0137d1e7
              0x0137d1e8
              0x0137d1eb
              0x0137d1f0
              0x00000000
              0x00000000
              0x0137d1f6
              0x0137d1f9
              0x00000000
              0x00000000
              0x00000000
              0x0137d1f9
              0x00000000
              0x0137d10f
              0x0137d117
              0x0137d142
              0x0137d144
              0x0137d14d
              0x0137d178
              0x0137d180
              0x0137d1ac
              0x0137d1ac
              0x0137d1b0
              0x00000000
              0x00000000
              0x0137d1b2
              0x00000000
              0x0137d18c
              0x0137d19c
              0x0137d1a1
              0x0137d1a6
              0x00000000
              0x00000000
              0x00000000
              0x0137d1a6
              0x0137d180
              0x0137d155
              0x0137d15b
              0x0137d16c
              0x0137d171
              0x0137d176
              0x0137d1ba
              0x00000000
              0x0137d1ba
              0x0137d176
              0x00000000
              0x0137d123
              0x0137d133
              0x0137d138
              0x0137d13d
              0x0137d1be
              0x0137d1be
              0x0137d1c1
              0x0137d1c3
              0x00000000
              0x0137d1c3
              0x0137d13f
              0x00000000
              0x0137d13f
              0x0137d117
              0x0137d10f
              0x0137d208
              0x0137d20b
              0x0137d210
              0x0137d21a
              0x0137d21c
              0x0137d220
              0x0137d222
              0x00000000
              0x00000000
              0x0137d239
              0x0137d23e
              0x0137d241
              0x0137d243
              0x0137d253
              0x0137d254
              0x0137d259
              0x0137d25d
              0x0137d25f
              0x00000000
              0x00000000
              0x0137d265
              0x0137d268
              0x0137d26b
              0x0137d26f
              0x0137d275
              0x0137d27a
              0x0137d27e
              0x0137d281
              0x0137d284
              0x0137d284
              0x0137d289
              0x0137d28b
              0x0137d28d
              0x0137d28d
              0x0137d293
              0x0137d2a3
              0x0137d2a8
              0x0137d2ad
              0x0137d2b2
              0x0137d2b6
              0x0137d2b8
              0x0137d2c6
              0x0137d2ca
              0x0137d2cc
              0x0137d2ce
              0x0137d2d1
              0x0137d2d4
              0x0137d2d6
              0x0137d2d9
              0x0137d3c1
              0x0137d3ca
              0x0137d3d2
              0x0137d3da
              0x0137d3e1
              0x0137d3e4
              0x0137d3fe
              0x0137d40b
              0x0137d413
              0x0137d425
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0137d3e6
              0x0137d3e6
              0x0137d3ea
              0x0137d3f3
              0x0137d3f8
              0x0137d3f9
              0x0137d3f9
              0x00000000
              0x0137d3e6
              0x0137d2df
              0x0137d2e6
              0x0137d2ed
              0x0137d2f4
              0x0137d2f4
              0x0137d2f7
              0x0137d2f9
              0x0137d5f5
              0x0137d5f5
              0x0137d5f9
              0x0137d5fa
              0x0137d5fd
              0x00000000
              0x00000000
              0x0137d603
              0x0137d607
              0x0137d659
              0x0137d65a
              0x0137d65d
              0x0137d683
              0x0137d690
              0x0137d695
              0x0137d698
              0x0137d69a
              0x0137d67b
              0x0137d67b
              0x00000000
              0x0137d67b
              0x0137d661
              0x0137d662
              0x0137d665
              0x00000000
              0x00000000
              0x0137d667
              0x0137d667
              0x0137d66d
              0x00000000
              0x00000000
              0x0137d676
              0x0137d67a
              0x0137d67a
              0x00000000
              0x0137d67a
              0x0137d609
              0x0137d60f
              0x00000000
              0x00000000
              0x0137d619
              0x0137d619
              0x0137d61c
              0x0137d643
              0x0137d645
              0x0137d648
              0x0137d649
              0x0137d64d
              0x0137d64e
              0x0137d651
              0x00000000
              0x0137d651
              0x0137d61e
              0x0137d61e
              0x0137d621
              0x0137d63f
              0x00000000
              0x0137d63f
              0x0137d623
              0x0137d623
              0x0137d626
              0x0137d63b
              0x00000000
              0x0137d63b
              0x0137d628
              0x0137d628
              0x0137d62b
              0x0137d637
              0x00000000
              0x0137d637
              0x0137d62e
              0x0137d631
              0x00000000
              0x00000000
              0x0137d633
              0x00000000
              0x0137d633
              0x0137d2ff
              0x0137d304
              0x0137d308
              0x0137d314
              0x0137d316
              0x0137d317
              0x0137d31b
              0x0137d508
              0x0137d50b
              0x0137d512
              0x0137d517
              0x0137d519
              0x0137d5ef
              0x0137d5ef
              0x0137d5f2
              0x00000000
              0x0137d5f2
              0x0137d52b
              0x0137d53c
              0x0137d541
              0x0137d546
              0x0137d548
              0x00000000
              0x00000000
              0x0137d550
              0x0137d563
              0x0137d575
              0x0137d587
              0x0137d596
              0x0137d5ab
              0x0137d5b0
              0x0137d5b3
              0x0137d5b5
              0x0137d5b7
              0x0137d5b7
              0x0137d5ba
              0x0137d5c0
              0x0137d5c0
              0x0137d5d3
              0x0137d5d3
              0x0137d5d5
              0x0137d5d8
              0x0137d5d9
              0x0137d5d9
              0x0137d5dd
              0x0137d5e0
              0x00000000
              0x00000000
              0x0137d5e2
              0x0137d5e2
              0x0137d5e2
              0x0137d5e6
              0x0137d3af
              0x0137d3af
              0x00000000
              0x0137d3af
              0x0137d5ec
              0x0137d5ec
              0x0137d5d9
              0x0137d5dd
              0x0137d5e0
              0x00000000
              0x00000000
              0x00000000
              0x0137d5e0
              0x0137d5d9
              0x0137d321
              0x0137d324
              0x0137d324
              0x0137d327
              0x0137d32a
              0x0137d331
              0x0137d338
              0x0137d33f
              0x0137d346
              0x0137d349
              0x0137d35a
              0x0137d361
              0x0137d366
              0x0137d36b
              0x0137d36c
              0x0137d36e
              0x0137d386
              0x0137d386
              0x00000000
              0x0137d386
              0x0137d373
              0x0137d375
              0x0137d37a
              0x00000000
              0x00000000
              0x0137d37c
              0x0137d37e
              0x0137d381
              0x0137d389
              0x0137d389
              0x0137d38a
              0x0137d38a
              0x0137d38f
              0x0137d392
              0x0137d394
              0x0137d396
              0x0137d44c
              0x0137d44f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0137d455
              0x0137d455
              0x0137d455
              0x0137d459
              0x0137d45c
              0x00000000
              0x00000000
              0x0137d45e
              0x0137d45e
              0x0137d45e
              0x0137d462
              0x0137d467
              0x0137d46a
              0x0137d46f
              0x0137d470
              0x0137d472
              0x0137d475
              0x0137d496
              0x0137d498
              0x0137d4ad
              0x0137d4b2
              0x0137d4b5
              0x0137d4b8
              0x0137d4bb
              0x0137d4de
              0x0137d4e1
              0x0137d4e6
              0x0137d4e8
              0x0137d4e8
              0x0137d4fb
              0x0137d500
              0x0137d4bd
              0x0137d4c9
              0x0137d4d1
              0x0137d4d6
              0x0137d4d6
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0137d477
              0x0137d477
              0x0137d477
              0x0137d47a
              0x00000000
              0x00000000
              0x0137d47c
              0x0137d47f
              0x0137d482
              0x0137d48a
              0x0137d48d
              0x0137d48e
              0x0137d491
              0x00000000
              0x00000000
              0x00000000
              0x0137d491
              0x0137d493
              0x00000000
              0x0137d493
              0x0137d464
              0x0137d464
              0x0137d455
              0x0137d455
              0x0137d459
              0x0137d45c
              0x00000000
              0x00000000
              0x00000000
              0x0137d45c
              0x0137d455
              0x0137d3aa
              0x00000000
              0x0137d3aa
              0x0137d30a
              0x0137d30e
              0x00000000
              0x00000000
              0x00000000
              0x0137d3b2
              0x0137d3b2
              0x0137d3b2
              0x0137d3bb
              0x0137d3be
              0x00000000
              0x0137d2ba
              0x0137d2bb
              0x00000000
              0x0137d2c0
              0x0137d2b8
              0x0137d245
              0x0137d247
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0137d080
              0x0137d080
              0x0137d083
              0x0137d08c
              0x0137d091
              0x0137d092
              0x0137d092
              0x0137d09a
              0x00000000
              0x0137d09a

              APIs
              • __EH_prolog.LIBCMT ref: 0137CFD9
              • _wcschr.LIBVCRUNTIME ref: 0137CFFA
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0137D015
              • __fprintf_l.LIBCMT ref: 0137D4FB
                • Part of subcall function 01380FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0137B312,00000000,?,?,?,00160024), ref: 01380FFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
              • API String ID: 4184910265-4124877899
              • Opcode ID: 9d09d5c6a82342c7f94aad400f006847b18a10fd173219cbbc1fda88116ce1e3
              • Instruction ID: a3390ace971e7f52a0376f05ad8c193152835d76a5ae170a1f8c1b3ad284e7ca
              • Opcode Fuzzy Hash: 9d09d5c6a82342c7f94aad400f006847b18a10fd173219cbbc1fda88116ce1e3
              • Instruction Fuzzy Hash: 3512C27160030A9BEF35EFA8DC40AED3BA9FF14318F54012AF91997291EB79D985CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138C190(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HWND__* _t45;
				char _t48;

				E0138A388(); // executed
				_t45 = GetDlgItem( *0x13b75c8, 0x68);
				_t48 =  *0x13b75d6; // 0x1
				if(_t48 == 0) {
					_t43 =  *0x13b75e8; // 0x0
					E01388569(_t43);
					ShowWindow(_t45, 5); // executed
					SendMessageW(_t45, 0xb1, 0, 0xffffffff);
					SendMessageW(_t45, 0xc2, 0, 0x13a22e4);
					 *0x13b75d6 = 1;
				}
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t45, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t40 = _a4;
				_v88 = 1;
				if(_t40 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t45, 0x444, 1,  &_v92);
				SendMessageW(_t45, 0xc2, 0, _a8);
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t40 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t45, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t45, 0xc2, 0, L"\r\n");
			}












              0x0138c197
              0x0138c1b2
              0x0138c1b9
              0x0138c1bf
              0x0138c1c1
              0x0138c1c7
              0x0138c1cf
              0x0138c1de
              0x0138c1e8
              0x0138c1ea
              0x0138c1ea
              0x0138c1fe
              0x0138c204
              0x0138c214
              0x0138c218
              0x0138c21c
              0x0138c221
              0x0138c227
              0x0138c232
              0x0138c23c
              0x0138c244
              0x0138c244
              0x0138c254
              0x0138c25e
              0x0138c26d
              0x0138c271
              0x0138c27f
              0x0138c290
              0x0138c290
              0x0138c2a4

              APIs
                • Part of subcall function 0138A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138A399
                • Part of subcall function 0138A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138A3AA
                • Part of subcall function 0138A388: IsDialogMessageW.USER32(00160024,?), ref: 0138A3BE
                • Part of subcall function 0138A388: TranslateMessage.USER32(?), ref: 0138A3CC
                • Part of subcall function 0138A388: DispatchMessageW.USER32(?), ref: 0138A3D6
              • GetDlgItem.USER32(00000068,013CDE38), ref: 0138C1A4
              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,01389D8F), ref: 0138C1CF
              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0138C1DE
              • SendMessageW.USER32(00000000,000000C2,00000000,013A22E4), ref: 0138C1E8
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0138C1FE
              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0138C214
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0138C254
              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0138C25E
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0138C26D
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0138C290
              • SendMessageW.USER32(00000000,000000C2,00000000,013A304C), ref: 0138C29B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
              • String ID: \
              • API String ID: 3569833718-2967466578
              • Opcode ID: b7755369b50f5a270b18fcf30eaa470f536ea7e4d8afa715c2f82fe2554301ff
              • Instruction ID: c62b39e7ac554e510c5a5dd3cca13a894326b8aeb4908fb934dd16bda999d84f
              • Opcode Fuzzy Hash: b7755369b50f5a270b18fcf30eaa470f536ea7e4d8afa715c2f82fe2554301ff
              • Instruction Fuzzy Hash: D32134712453447BE321FB288C41FAF7F9CEF82758F400609FA90A61C0D7A55A098BB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E0138C431(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E0138D940();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E01392B33(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E0138E920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0x13ba602 != _t77) {
								_a24 = 0x13ba602;
							}
						}
						_a32 = 1;
						_t93 = E0137B153(_t87);
						if(_t93 != 0 && E01381410(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E01379E6B(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E0137AED7();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0x13b85f8 != _t77 || _a4168 != _t77 ||  *0x13cde21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0x13adf24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0x13adf20(_a56, 0x7d0);
								E0138C8F0(_a48);
								if( *0x13cde21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0x13cde24) {
										 *0x13cde24 = _t68;
									}
									 *0x13cde22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E01381410(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0x13b85f8 != 0 && _t54 == 0 &&  *0x13cde21 == _t54) {
									 *0x13cde28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}






















              0x0138c431
              0x0138c436
              0x0138c43d
              0x0138c444
              0x0138c449
              0x0138c695
              0x0138c69d
              0x0138c69d
              0x0138c450
              0x0138c45b
              0x00000000
              0x0138c461
              0x0138c464
              0x0138c46c
              0x0138c471
              0x0138c478
              0x0138c47b
              0x0138c47f
              0x0138c489
              0x0138c48b
              0x0138c48b
              0x0138c493
              0x0138c496
              0x0138c49c
              0x0138c4a0
              0x0138c4a2
              0x0138c4a2
              0x0138c4a4
              0x0138c4a8
              0x0138c4ad
              0x0138c4e5
              0x0138c4e5
              0x0138c4e9
              0x0138c4eb
              0x0138c4f4
              0x0138c4ff
              0x0138c4ff
              0x0138c4f4
              0x0138c508
              0x0138c515
              0x0138c519
              0x0138c52a
              0x0138c52a
              0x0138c53d
              0x0138c53f
              0x0138c548
              0x0138c549
              0x0138c54d
              0x0138c556
              0x0138c556
              0x0138c55f
              0x0138c567
              0x0138c56d
              0x0138c580
              0x0138c595
              0x0138c597
              0x0138c5a0
              0x0138c5a4
              0x0138c5a6
              0x0138c5a6
              0x0138c5a0
              0x0138c5b1
              0x0138c5bb
              0x0138c5c7
              0x0138c5e6
              0x0138c5f0
              0x0138c5f2
              0x0138c5f2
              0x0138c5f7
              0x0138c5f7
              0x0138c5c7
              0x0138c602
              0x0138c60a
              0x0138c622
              0x0138c629
              0x0138c637
              0x0138c637
              0x0138c67f
              0x0138c67f
              0x0138c67f
              0x0138c688
              0x0138c691
              0x0138c691
              0x0138c688
              0x00000000
              0x0138c694
              0x0138c4af
              0x0138c4b1
              0x0138c4b9
              0x0138c4bc
              0x0138c649
              0x0138c649
              0x0138c64e
              0x00000000
              0x00000000
              0x0138c647
              0x0138c655
              0x0138c659
              0x0138c4c6
              0x0138c4ca
              0x0138c66a
              0x0138c66e
              0x0138c66e
              0x0138c673
              0x0138c676
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0138c4ca
              0x0138c647
              0x0138c650
              0x0138c4c2
              0x00000000
              0x0138c4dc
              0x0138c4dc
              0x0138c4dd
              0x0138c4e0
              0x00000000
              0x0138c4b9

              APIs
              • ShellExecuteExW.SHELL32(000001C0), ref: 0138C55F
              • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0138C5A4
              • GetExitCodeProcess.KERNEL32 ref: 0138C5DC
              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0138C602
              • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0138C691
                • Part of subcall function 01381410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0137ACFE,?,?,?,0137ACAD,?,-00000002,?,00000000,?), ref: 01381426
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
              • String ID: $.exe$.inf
              • API String ID: 3686203788-2452507128
              • Opcode ID: cab5bbe03241faf9286133b1179d9b259b4cc4256909e58b391d7704d7ab36ad
              • Instruction ID: fc91c3b652cfb5fdc7c6e763b878c9c3bab3c44f1deada17458625a165131c0c
              • Opcode Fuzzy Hash: cab5bbe03241faf9286133b1179d9b259b4cc4256909e58b391d7704d7ab36ad
              • Instruction Fuzzy Hash: 6B51C7704043419BEB32BF69D540AFBBBE8AF8571CF08282DE6C597145D7B1A588CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013995A5, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E013995A5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t69;
				int _t77;
				short* _t80;
				signed int _t86;
				signed int _t89;
				void* _t94;
				void* _t95;
				int _t97;
				short* _t100;
				int _t102;
				int _t104;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x13ad668; // 0x5221689b
				_v8 = _t49 ^ _t105;
				_push(__esi);
				_t102 = _a20;
				if(_t102 > 0) {
					_t77 = E0139DBBC(_a16, _t102);
					_t109 = _t77 - _t102;
					_t4 = _t77 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t77;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0138E203(_t54, _v8 ^ _t105);
				} else {
					_t94 = _t54 + _t54;
					_t84 = _t94 + 8;
					asm("sbb eax, eax");
					if((_t94 + 0x00000008 & _t54) == 0) {
						_t80 = 0;
						__eflags = 0;
						L14:
						if(_t80 == 0) {
							L36:
							_t104 = 0;
							L37:
							E0139980D(_t80);
							_t54 = _t104;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t80, _v12);
						_t120 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t59 = E01399C64(_t84, _t102, _t120, _a8, _a12, _t80, _v12, 0, 0, 0, 0, 0); // executed
						_t104 = _t59;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t86 = _t95 + 8;
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							__eflags = _t86 & _t59;
							if((_t86 & _t59) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E0139980D(_t100);
									goto L36;
								}
								_t61 = E01399C64(_t86, _t104, __eflags, _a8, _a12, _t80, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E0139980D(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t89 = _t95 + 8;
							__eflags = _t95 - _t89;
							asm("sbb eax, eax");
							_t65 = _t59 & _t89;
							_t86 = _t95 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t95 - _t86;
								asm("sbb eax, eax");
								_t100 = E01397A8A(_t86, _t65 & _t86);
								_pop(_t86);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							E013A0EE0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t69 = _a28;
						if(_t69 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t69;
						if(_t104 > _t69) {
							goto L36;
						}
						_t104 = E01399C64(0, _t104, _t124, _a8, _a12, _t80, _t99, _a24, _t69, 0, 0, 0);
						if(_t104 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t71 = _t54 & _t94 + 0x00000008;
					_t84 = _t94 + 8;
					if((_t54 & _t94 + 0x00000008) > 0x400) {
						__eflags = _t94 - _t84;
						asm("sbb eax, eax");
						_t80 = E01397A8A(_t84, _t71 & _t84);
						_pop(_t84);
						__eflags = _t80;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t80 = 0xdddd;
						L12:
						_t80 =  &(_t80[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E013A0EE0();
					_t80 = _t106;
					if(_t80 == 0) {
						goto L36;
					}
					 *_t80 = 0xcccc;
					goto L12;
				}
			}


























              0x013995aa
              0x013995ab
              0x013995ac
              0x013995b3
              0x013995b7
              0x013995b8
              0x013995be
              0x013995c4
              0x013995ca
              0x013995cd
              0x013995cd
              0x013995d0
              0x013995d2
              0x013995d2
              0x013995d0
              0x013995d4
              0x013995d9
              0x013995e0
              0x013995e3
              0x013995e3
              0x013995ff
              0x01399605
              0x0139960a
              0x0139979d
              0x013997b0
              0x01399610
              0x01399610
              0x01399613
              0x01399618
              0x0139961c
              0x01399670
              0x01399670
              0x01399672
              0x01399674
              0x01399792
              0x01399792
              0x01399794
              0x01399795
              0x0139979b
              0x00000000
              0x0139979b
              0x01399685
              0x0139968b
              0x0139968d
              0x00000000
              0x00000000
              0x01399693
              0x013996a5
              0x013996aa
              0x013996ae
              0x00000000
              0x00000000
              0x013996bb
              0x013996f5
              0x013996f8
              0x013996fb
              0x013996fd
              0x013996ff
              0x01399701
              0x0139974d
              0x0139974d
              0x0139974f
              0x0139974f
              0x01399751
              0x0139978b
              0x0139978c
              0x00000000
              0x01399791
              0x01399765
              0x0139976a
              0x0139976c
              0x00000000
              0x00000000
              0x01399770
              0x01399771
              0x01399772
              0x01399775
              0x013997b1
              0x013997b4
              0x01399777
              0x01399777
              0x01399778
              0x01399778
              0x01399785
              0x01399787
              0x01399789
              0x013997ba
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01399789
              0x01399703
              0x01399706
              0x01399708
              0x0139970a
              0x0139970c
              0x0139970f
              0x01399714
              0x0139972f
              0x01399731
              0x0139973b
              0x0139973d
              0x0139973e
              0x01399740
              0x00000000
              0x00000000
              0x01399742
              0x01399748
              0x01399748
              0x00000000
              0x01399748
              0x01399716
              0x01399718
              0x0139971c
              0x01399721
              0x01399723
              0x01399725
              0x00000000
              0x00000000
              0x01399727
              0x00000000
              0x01399727
              0x013996bd
              0x013996c2
              0x00000000
              0x00000000
              0x013996c8
              0x013996ca
              0x00000000
              0x00000000
              0x013996e6
              0x013996ea
              0x00000000
              0x00000000
              0x00000000
              0x013996f0
              0x01399623
              0x01399625
              0x01399627
              0x0139962f
              0x0139964e
              0x01399650
              0x0139965a
              0x0139965c
              0x0139965d
              0x0139965f
              0x00000000
              0x00000000
              0x01399665
              0x0139966b
              0x0139966b
              0x00000000
              0x0139966b
              0x01399633
              0x01399637
              0x0139963c
              0x01399640
              0x00000000
              0x00000000
              0x01399646
              0x00000000
              0x01399646

              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0139451B,0139451B,?,?,?,013997F6,00000001,00000001,31E85006), ref: 013995FF
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,013997F6,00000001,00000001,31E85006,?,?,?), ref: 01399685
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0139977F
              • __freea.LIBCMT ref: 0139978C
                • Part of subcall function 01397A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,01392FA6,?,0000015D,?,?,?,?,01394482,000000FF,00000000,?,?), ref: 01397ABC
              • __freea.LIBCMT ref: 01399795
              • __freea.LIBCMT ref: 013997BA
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide__freea$AllocateHeap
              • String ID:
              • API String ID: 1414292761-0
              • Opcode ID: 370968e29c31bd19969dab158161db25b723ba8d038815175efcd0a818d6d392
              • Instruction ID: 49c6fafe565253f512a2d01c169353f2597cfd90822b5566f5ce4673e75367bc
              • Opcode Fuzzy Hash: 370968e29c31bd19969dab158161db25b723ba8d038815175efcd0a818d6d392
              • Instruction Fuzzy Hash: 35517F72610216ABEF299E68CC81FAF7BADEB4466CF15462DFD05D6140EB34DC40CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389A32, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01389A32(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E01381410( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}








              0x01389a42
              0x01389a49
              0x01389a51
              0x01389a54
              0x01389a61
              0x01389a68
              0x01389a70
              0x01389a76
              0x01389a76
              0x01389a78
              0x01389a7b
              0x01389a80
              0x00000000
              0x01389a80
              0x01389a8a

              APIs
              • GetClassNameW.USER32(?,?,00000050), ref: 01389A49
              • SHAutoComplete.SHLWAPI(?,00000010), ref: 01389A80
                • Part of subcall function 01381410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0137ACFE,?,?,?,0137ACAD,?,-00000002,?,00000000,?), ref: 01381426
              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 01389A70
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AutoClassCompareCompleteFindNameStringWindow
              • String ID: EDIT$plIw
              • API String ID: 4243998846-1748954997
              • Opcode ID: bbff4d4f889653c02a6d6080ef488e0388ce95b562c37cfd092b49ff013a7129
              • Instruction ID: d17ca7bd60f3ab2442dd515504bdff7c2fd607378df82d4fc8b9862894f34dea
              • Opcode Fuzzy Hash: bbff4d4f889653c02a6d6080ef488e0388ce95b562c37cfd092b49ff013a7129
              • Instruction Fuzzy Hash: 3EF08232A013287BFA30A6A99C05FFBBB6C9B86B55F840156BE40B31C0D764990687F5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379768, Relevance: 7.6, APIs: 5, Instructions: 116filetimeCOMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E01379768(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E0138D940();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E01376EF9( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E0137FAB1(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0137B32C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}














              0x01379768
              0x0137976d
              0x01379773
              0x0137977c
              0x0137977e
              0x01379789
              0x01379794
              0x01379790
              0x01379790
              0x01379790
              0x0137979a
              0x013797a2
              0x013797aa
              0x013797b3
              0x013797b5
              0x013797b5
              0x013797c0
              0x013797c5
              0x013797c7
              0x013797c7
              0x013797dc
              0x013797e0
              0x013797e9
              0x013797eb
              0x013797eb
              0x01379804
              0x0137980a
              0x0137980f
              0x01379873
              0x01379878
              0x0137987f
              0x01379888
              0x01379893
              0x01379893
              0x0137989e
              0x013798a1
              0x013798a4
              0x013798a7
              0x013798ad
              0x013798be
              0x013798c2
              0x013798c2
              0x013798d2
              0x01379811
              0x01379817
              0x01379833
              0x01379862
              0x01379867
              0x01379869
              0x01379869
              0x00000000
              0x01379867
              0x0137984c
              0x0137984e
              0x01379857
              0x01379859
              0x01379859
              0x01379860
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01379860

              APIs
              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,013776F2,?,00000005,?,00000011), ref: 01379804
              • GetLastError.KERNEL32(?,?,013776F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 01379811
              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,013776F2,?,00000005,?), ref: 01379846
              • GetLastError.KERNEL32(?,?,013776F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0137984E
              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,013776F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 01379893
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$CreateErrorLast$Time
              • String ID:
              • API String ID: 1999340476-0
              • Opcode ID: b19b39bdd883f86efd7c38be449380dad865fd9f0395356f33fcece152fe56a1
              • Instruction ID: faaf1eedb8324032ff39dcd71d8dec8a2c2a2cd8ea05751f2a6e485d71234593
              • Opcode Fuzzy Hash: b19b39bdd883f86efd7c38be449380dad865fd9f0395356f33fcece152fe56a1
              • Instruction Fuzzy Hash: 86412371844746ABE330DE68CC05BDABFE9AB0133CF100719FAA0961C1D3B9A489CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138A388, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138A388() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x13b75c8; // 0x160024
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}







              0x0138a399
              0x0138a3a1
              0x0138a3aa
              0x0138a3b0
              0x0138a3b7
              0x0138a3c8
              0x0138a3cc
              0x0138a3d6
              0x00000000
              0x0138a3d6
              0x0138a3be
              0x0138a3c6
              0x00000000
              0x00000000
              0x0138a3c6
              0x0138a3e0

              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138A399
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138A3AA
              • IsDialogMessageW.USER32(00160024,?), ref: 0138A3BE
              • TranslateMessage.USER32(?), ref: 0138A3CC
              • DispatchMessageW.USER32(?), ref: 0138A3D6
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$DialogDispatchPeekTranslate
              • String ID:
              • API String ID: 1266772231-0
              • Opcode ID: 1c464633ef981f277a4f4bbde51c3ced012f42639fd7ef9215ce0d4225b641d9
              • Instruction ID: b1eb840fe67fe76fa36076894412f01a4a989b354b132956a8701c69da26a3c9
              • Opcode Fuzzy Hash: 1c464633ef981f277a4f4bbde51c3ced012f42639fd7ef9215ce0d4225b641d9
              • Instruction Fuzzy Hash: 16F0B771901229ABDB30ABF6AC4CDEB7F6CEE052A5B404516BA09D3444E7A8D109CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
              Download Yara Rule
              C-Code - Quality: 25%
              			E01389AA0(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E0137FCFD(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x13adffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x13adeb4( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0138D820(); // executed
				 *0x13adf08(0x13b75c0,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}











              0x01389aaf
              0x01389ab6
              0x01389ab9
              0x01389ac2
              0x01389aca
              0x01389ad1
              0x01389adb
              0x01389ae6
              0x01389aea
              0x01389aed
              0x01389af0
              0x01389afa
              0x01389b07

              APIs
                • Part of subcall function 0137FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0137FD18
                • Part of subcall function 0137FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0137E7F6,Crypt32.dll,?,0137E878,?,0137E85C,?,?,?,?), ref: 0137FD3A
              • OleInitialize.OLE32(00000000), ref: 01389AB9
              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 01389AF0
              • SHGetMalloc.SHELL32(013B75C0), ref: 01389AFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
              • String ID: riched20.dll
              • API String ID: 3498096277-3360196438
              • Opcode ID: 5fc8f66a3960ee074baca9e4c12efd860148d60f5f8886212d3c19267f3a9371
              • Instruction ID: 23358ed16807abce7a2f032179cb15432cc28040bac438be49a7b31fd5ec32db
              • Opcode Fuzzy Hash: 5fc8f66a3960ee074baca9e4c12efd860148d60f5f8886212d3c19267f3a9371
              • Instruction Fuzzy Hash: D2F012B1D0020AABCB20EFD9D8499EFFFFCEF94715F00415AE814E2244DBB456058BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 66%
              			E0138C891(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0138D940();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E0137F835(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0137F94C() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}







              0x0138c891
              0x0138c899
              0x0138c8a7
              0x0138c8bc
              0x0138c8c1
              0x0138c8c5
              0x0138c8ca
              0x0138c8d4
              0x0138c8cd
              0x0138c8cd
              0x0138c8d3
              0x0138c8d3
              0x0138c8e3
              0x0138c8e3
              0x0138c8ed

              APIs
              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0138C8A7
              • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0138C8E3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnvironmentVariable
              • String ID: sfxcmd$sfxpar
              • API String ID: 1431749950-3493335439
              • Opcode ID: bd15f66ecff08911b089e36542ea2fca20cfe57fff8bb69005b56c3dc9da4e7f
              • Instruction ID: 6553295cdff57ad6abff614957e8d6e291a27bf951aae3c8e1a10b1c942273d8
              • Opcode Fuzzy Hash: bd15f66ecff08911b089e36542ea2fca20cfe57fff8bb69005b56c3dc9da4e7f
              • Instruction Fuzzy Hash: 9BF0A072850326AADB303FD99C09EFABFACEF19B65F400056FE4896201DA609841C7F1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137964A, Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E0137964A(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E01379745(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E0137964A(_t25);
						}
					}
				}
				return _t15;
			}







              0x0137964d
              0x01379650
              0x01379656
              0x01379660
              0x01379660
              0x01379672
              0x0137967a
              0x013796d6
              0x0137967c
              0x0137967e
              0x01379685
              0x0137969e
              0x013796a2
              0x013796b3
              0x013796b7
              0x013796d1
              0x013796d1
              0x013796c3
              0x013796c3
              0x013796cc
              0x00000000
              0x013796ce
              0x013796ce
              0x00000000
              0x013796ce
              0x013796cc
              0x013796a4
              0x013796a4
              0x013796ad
              0x00000000
              0x013796af
              0x013796af
              0x013796af
              0x013796ad
              0x01379687
              0x01379687
              0x0137968f
              0x00000000
              0x01379691
              0x01379691
              0x01379692
              0x01379692
              0x01379697
              0x01379697
              0x0137968f
              0x01379685
              0x013796de

              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 0137965A
              • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 01379672
              • GetLastError.KERNEL32 ref: 013796A4
              • GetLastError.KERNEL32 ref: 013796C3
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$FileHandleRead
              • String ID:
              • API String ID: 2244327787-0
              • Opcode ID: 096938ac9e450b396e2cbedea3b865c15cf28f209b5e5a0d42adf5359d30e526
              • Instruction ID: dd52dcb191bd7cdb1afb36647a0af603eb1e16102765b7e677bef9ee287ff0db
              • Opcode Fuzzy Hash: 096938ac9e450b396e2cbedea3b865c15cf28f209b5e5a0d42adf5359d30e526
              • Instruction Fuzzy Hash: F5118E30504208EFDF318A68C944B6A77AEEB0433DF00C729E92AA5580EB7C8940CF52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399A2C, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E01399A2C(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x13d0768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x13a5ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x5221689c
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











              0x01399a31
              0x01399a35
              0x01399a3c
              0x01399a40
              0x01399a4e
              0x01399a5e
              0x01399a64
              0x01399a68
              0x01399a91
              0x01399a93
              0x01399a97
              0x01399a9a
              0x01399a9a
              0x01399aa0
              0x01399aa2
              0x00000000
              0x01399aa3
              0x01399a6a
              0x01399a73
              0x01399a82
              0x01399a75
              0x01399a78
              0x01399a7e
              0x01399a7e
              0x01399a86
              0x00000000
              0x01399a88
              0x01399a8b
              0x01399a8d
              0x00000000
              0x01399a8d
              0x01399a86
              0x01399a42
              0x01399a47
              0x00000000

              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,01392E0F,00000000,00000000,?,013999D3,01392E0F,00000000,00000000,00000000,?,01399BD0,00000006,FlsSetValue), ref: 01399A5E
              • GetLastError.KERNEL32(?,013999D3,01392E0F,00000000,00000000,00000000,?,01399BD0,00000006,FlsSetValue,013A6058,013A6060,00000000,00000364,?,013985E8), ref: 01399A6A
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,013999D3,01392E0F,00000000,00000000,00000000,?,01399BD0,00000006,FlsSetValue,013A6058,013A6060,00000000), ref: 01399A78
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: 4cccb626b9de0cf2e7adda3a45fdb4ec8b4b33b17704f4f7670c678e0aba15d6
              • Instruction ID: e33ea268835b1f97a01fc1bcfe1efcdda85740b0544608c46ee219a108ca88f4
              • Opcode Fuzzy Hash: 4cccb626b9de0cf2e7adda3a45fdb4ec8b4b33b17704f4f7670c678e0aba15d6
              • Instruction Fuzzy Hash: 9A01F736242226ABEF318A6D9C44B677B9DEF45BADB510228FE06D7141D734D800C7E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013804F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E013804F5() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x13b00e0 > 0) {
					_t18 = 0x13b00e4;
					do {
						_t7 = CreateThread(0, 0x10000, E0138062F, 0x13b00e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x13b00e0);
							E01376CC9(E0138E214(E01376CCE(0x13b00e0)), 0x13b00e0, 0x13b00e0, 2);
						}
						 *_t18 = _t22;
						 *0x013B01E4 =  *((intOrPtr*)(0x13b01e4)) + 1;
						_t8 =  *0x13b7368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x13b00e0);
					return _t8;
				}
				return _t5;
			}













              0x013804fa
              0x013804fe
              0x01380502
              0x01380505
              0x01380519
              0x0138051f
              0x01380523
              0x01380525
              0x0138052a
              0x01380547
              0x01380547
              0x0138054c
              0x0138054e
              0x01380554
              0x0138055b
              0x01380560
              0x01380560
              0x01380566
              0x01380567
              0x0138056a
              0x00000000
              0x0138056f
              0x01380573

              APIs
              • CreateThread.KERNELBASE ref: 01380519
              • SetThreadPriority.KERNEL32(?,00000000), ref: 01380560
                • Part of subcall function 01376CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01376CEC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$CreatePriority__vswprintf_c_l
              • String ID: CreateThread failed
              • API String ID: 2655393344-3849766595
              • Opcode ID: a3d38cb33fdfddbc8c1ebdecb857412709bacf740071e696da02a7b57e9296f9
              • Instruction ID: dde0b754c50b1782b19937e1bd2176b1356ee9be3f78d0a87cd47f2c5011fb14
              • Opcode Fuzzy Hash: a3d38cb33fdfddbc8c1ebdecb857412709bacf740071e696da02a7b57e9296f9
              • Instruction Fuzzy Hash: 160123B5748306AFD3387F559C85FA777ADEB4475DF10002DF78562280DAA1A848C730
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379C34, Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E01379C34(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E01376C55(0x13b00e0, _t53 + 0x1e, 0) == 0) {
									E01376E9B(0x13b00e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}













              0x01379c34
              0x01379c35
              0x01379c3a
              0x01379c3e
              0x01379c4b
              0x01379c55
              0x01379c55
              0x01379c5a
              0x01379c5a
              0x01379c5f
              0x01379c65
              0x00000000
              0x00000000
              0x01379c67
              0x01379c6b
              0x01379ccf
              0x01379cd3
              0x01379d2d
              0x01379d30
              0x00000000
              0x01379cdb
              0x01379cdd
              0x01379ced
              0x01379d28
              0x00000000
              0x01379d28
              0x01379cf3
              0x01379d04
              0x01379d0a
              0x01379d13
              0x01379d18
              0x01379d18
              0x00000000
              0x01379cf3
              0x00000000
              0x00000000
              0x00000000
              0x01379c6d
              0x01379c6d
              0x01379c6f
              0x01379c76
              0x01379c78
              0x01379c78
              0x01379c95
              0x01379c9a
              0x01379c9c
              0x01379c9f
              0x00000000
              0x00000000
              0x01379ca1
              0x01379ca9
              0x00000000
              0x00000000
              0x01379ccb
              0x01379ccd
              0x00000000
              0x00000000
              0x00000000
              0x01379ccd
              0x00000000
              0x01379cad
              0x01379cbc
              0x01379cc5
              0x01379cc9
              0x00000000
              0x01379cc9
              0x01379c5a
              0x00000000

              APIs
              • GetStdHandle.KERNEL32(000000F5,?,?,0137C90A,00000001,?,?,?,00000000,01384AF4,?,?,?,?,?,01384599), ref: 01379C4F
              • WriteFile.KERNEL32(?,00000000,?,013847A1,00000000,?,?,00000000,01384AF4,?,?,?,?,?,01384599,?), ref: 01379C8F
              • WriteFile.KERNELBASE(?,00000000,?,013847A1,00000000,?,00000001,?,?,0137C90A,00000001,?,?,?,00000000,01384AF4), ref: 01379CBC
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileWrite$Handle
              • String ID:
              • API String ID: 4209713984-0
              • Opcode ID: 75e3a45177dc6f559e4f15d606c0a74e5899ace0efbb4d76318d0e565fb73a62
              • Instruction ID: 7c463113fb60ae1445f43e929378d723ef5d9e19a54383d36676ed4a6cd880f5
              • Opcode Fuzzy Hash: 75e3a45177dc6f559e4f15d606c0a74e5899ace0efbb4d76318d0e565fb73a62
              • Instruction Fuzzy Hash: 2F3105B154420AAFEF348E18C858BA6BBE8FB5172DF048619F69597580C778A448CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379EF2, Relevance: 4.6, APIs: 3, Instructions: 56COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01379EF2(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0138D940();
				_t21 = _a4;
				_t8 =  *(E0137B927(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E01379E6B(_t21) != 0 || E0137B32C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0137A12F(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}









              0x01379efa
              0x01379f00
              0x01379f09
              0x01379f0f
              0x01379f23
              0x01379f2b
              0x01379f69
              0x01379f6f
              0x01379f72
              0x01379f7e
              0x01379f80
              0x01379f74
              0x01379f74
              0x01379f77
              0x00000000
              0x01379f79
              0x01379f7b
              0x01379f7b
              0x01379f77
              0x00000000
              0x00000000
              0x00000000
              0x01379f16
              0x01379f19
              0x01379f21
              0x01379f56
              0x01379f5a
              0x01379f60
              0x01379f60
              0x01379f65
              0x00000000
              0x00000000
              0x00000000
              0x01379f21
              0x01379f85

              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 01379F19
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 01379F4C
              • GetLastError.KERNEL32(?,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 01379F69
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateDirectory$ErrorLast
              • String ID:
              • API String ID: 2485089472-0
              • Opcode ID: a67c45b7a5df5bb2391529e894a4b7d546d49fe416dc4b2c83605df7ca217120
              • Instruction ID: 367eaf7450480711a98fa64712905a55051779c37fe18544133e1596fac0ee42
              • Opcode Fuzzy Hash: a67c45b7a5df5bb2391529e894a4b7d546d49fe416dc4b2c83605df7ca217120
              • Instruction Fuzzy Hash: 3201243160821466FB31AA6C8C04FFE775C9F066AEF440681FA45E6090D76CC589C7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E0137399D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E0138D870(E013A11BE, _t153);
				E0138D940();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E0137134C(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0137C5C9(_t83, _t120);
						_push(_t120);
						E013814DE(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E01382842(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0137A728(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0137C67C(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E013824D9(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E0137910B(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0137A6F6(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E01376BF5(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E01376E03(0x13b00e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E0137FBBB(_t148);
									}
								}
								L25:
								E013816CB(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0137C634(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E01371EDE(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0137C699(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E0137134C(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E0137134C(_t156, 0x1d, _t151 + 0x1e);
					E01376E03(0x13b00e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

















              0x0137399d
              0x0137399d
              0x013739a2
              0x013739ac
              0x013739b2
              0x013739b4
              0x013739bb
              0x013739d9
              0x013739e0
              0x01373c22
              0x01373c28
              0x00000000
              0x01373c28
              0x013739e8
              0x013739f9
              0x013739ff
              0x00000000
              0x00000000
              0x01373a0b
              0x01373a0b
              0x01373a11
              0x01373a22
              0x01373a23
              0x01373a2c
              0x01373a31
              0x01373a38
              0x01373a3d
              0x01373a4c
              0x01373a4f
              0x01373a54
              0x01373a57
              0x01373a5a
              0x01373aaf
              0x01373aaf
              0x01373ab5
              0x01373b11
              0x01373b1f
              0x01373b33
              0x01373b40
              0x01373b46
              0x01373b4c
              0x01373b54
              0x01373b5a
              0x01373b66
              0x01373b72
              0x01373b75
              0x01373b78
              0x01373b7e
              0x01373b84
              0x01373b8a
              0x01373b90
              0x01373b96
              0x01373b9c
              0x01373bb5
              0x01373b9e
              0x01373b9e
              0x01373b9f
              0x01373ba0
              0x01373ba1
              0x01373ba1
              0x01373bcf
              0x01373bd1
              0x01373be0
              0x01373be2
              0x01373c0f
              0x01373be4
              0x01373bf1
              0x01373bfd
              0x01373c02
              0x01373c04
              0x01373c08
              0x01373c08
              0x01373c04
              0x01373c11
              0x01373c17
              0x01373c1d
              0x00000000
              0x01373c1f
              0x01373ab7
              0x01373abd
              0x01373ac3
              0x00000000
              0x00000000
              0x01373aec
              0x01373af5
              0x01373af5
              0x01373b0c
              0x00000000
              0x01373b0c
              0x01373a5c
              0x01373a62
              0x01373a82
              0x01373a82
              0x01373a84
              0x01373a97
              0x01373aaa
              0x01373a86
              0x01373a86
              0x01373a86
              0x00000000
              0x01373a84
              0x01373a64
              0x01373a72
              0x01373a78
              0x00000000
              0x01373a78
              0x01373a66
              0x01373a70
              0x00000000
              0x00000000
              0x00000000
              0x01373a70
              0x01373a13
              0x01373a19
              0x00000000
              0x01373a1b
              0x01373a1b
              0x00000000
              0x01373a1b
              0x013739bd
              0x013739c3
              0x013739cf
              0x01373c2d
              0x01373c2d
              0x01373c2f
              0x01373c33
              0x01373c3d
              0x01373c3d

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID: CMT
              • API String ID: 3519838083-2756464174
              • Opcode ID: 60367115a7033147ed55bdf7b5d22521515b4ff33defe1c13c15bed9275734fe
              • Instruction ID: 367b228c7144fae10c67a1247570b29491dd3afaf643839ef6f2b1717ba8a93f
              • Opcode Fuzzy Hash: 60367115a7033147ed55bdf7b5d22521515b4ff33defe1c13c15bed9275734fe
              • Instruction Fuzzy Hash: 0871D471504F4AAEDB31DB78CC80AEBBBE8BF24209F44495EE5AB87141D7356648DF10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139A51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0139A51E(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;
				char* _t95;
				intOrPtr _t99;
				signed int _t100;

				_t93 = __edx;
				_t63 =  *0x13ad668; // 0x5221689b
				_v8 = _t63 ^ _t100;
				_t99 = _a4;
				_t4 = _t99 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t99 + 0x119; // 0x139ab69
					_t94 = _t47;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t94;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t95 = _t94 + _t88;
						_t69 = _t68 + _t95;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t95 = 0;
							} else {
								_t72 = _t99 + _t88;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t99 + _t88 + 0x19) =  *(_t99 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t95 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t99 + 0x119; // 0x139ab69
						_t94 = _t61;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t100 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t91 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t100 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t75 =  *_t91;
					}
					_t13 = _t99 + 4; // 0x5efc4d8b
					E0139B5EA(0, _t93, 0x100, _t99, _t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t99 + 4; // 0x5efc4d8b
					_t19 = _t99 + 0x21c; // 0x2ebf88b
					E013997C2(0x100, _t99, _t106, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t99 + 4; // 0x5efc4d8b
					_t23 = _t99 + 0x21c; // 0x2ebf88b
					E013997C2(0x100, _t99, _t106, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t92 = 0;
					do {
						_t68 =  *(_t100 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t99 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t99 + _t92 + 0x19;
								 *_t37 =  *(_t99 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x204));
							L15:
							 *(_t99 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				return E0138E203(_t68, _v8 ^ _t100);
			}





























              0x0139a51e
              0x0139a529
              0x0139a530
              0x0139a535
              0x0139a540
              0x0139a552
              0x0139a64a
              0x0139a64a
              0x0139a650
              0x0139a652
              0x0139a653
              0x0139a653
              0x0139a655
              0x0139a65b
              0x0139a65b
              0x0139a65d
              0x0139a65f
              0x0139a668
              0x0139a66b
              0x0139a677
              0x0139a67e
              0x0139a68e
              0x0139a680
              0x0139a680
              0x0139a683
              0x0139a683
              0x0139a683
              0x0139a687
              0x0139a687
              0x00000000
              0x0139a687
              0x0139a66d
              0x0139a66d
              0x0139a672
              0x0139a672
              0x0139a68a
              0x0139a68a
              0x0139a68a
              0x0139a690
              0x0139a696
              0x0139a696
              0x0139a69c
              0x0139a69d
              0x0139a69d
              0x0139a558
              0x0139a558
              0x0139a55a
              0x0139a55a
              0x0139a561
              0x0139a562
              0x0139a566
              0x0139a56c
              0x0139a572
              0x0139a59a
              0x0139a59a
              0x0139a59c
              0x00000000
              0x00000000
              0x0139a57b
              0x0139a57f
              0x0139a591
              0x0139a591
              0x0139a593
              0x00000000
              0x00000000
              0x0139a584
              0x0139a586
              0x0139a588
              0x0139a590
              0x0139a590
              0x00000000
              0x0139a590
              0x00000000
              0x0139a586
              0x0139a595
              0x0139a595
              0x0139a598
              0x0139a598
              0x0139a59f
              0x0139a5b4
              0x0139a5ba
              0x0139a5ce
              0x0139a5d5
              0x0139a5e4
              0x0139a5f6
              0x0139a5fd
              0x0139a605
              0x0139a607
              0x0139a607
              0x0139a611
              0x0139a621
              0x0139a623
              0x0139a63a
              0x0139a625
              0x0139a625
              0x0139a625
              0x0139a625
              0x0139a62a
              0x00000000
              0x0139a62a
              0x0139a613
              0x0139a613
              0x0139a618
              0x0139a631
              0x0139a631
              0x0139a631
              0x0139a641
              0x0139a642
              0x0139a646
              0x0139a6b1

              APIs
              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0139A543
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Info
              • String ID:
              • API String ID: 1807457897-3916222277
              • Opcode ID: cab9ec0bfc0afa03d8f81c6041ac1e2a489a614f0d0035dc49fd729d34a80ea3
              • Instruction ID: 7f072b8038aa66e1f7525aaaa7d6e9abc7c1c194e9ff058badc227375bd0cdf1
              • Opcode Fuzzy Hash: cab9ec0bfc0afa03d8f81c6041ac1e2a489a614f0d0035dc49fd729d34a80ea3
              • Instruction Fuzzy Hash: E341F77060824C9EDF228E688C84BFABBADEB9531CF1805ECD59A87142D2359A55CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01371D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E01371D61(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E0138D870(E013A1173, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E0137399D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E013716C0(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E01371837(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E01380FDE( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E01381059( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E01381094();
					}
					E01371837(_t68, E01392B33( *_t68));
					_t49 = 1;
				}
				E0137159C(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}











              0x01371d61
              0x01371d61
              0x01371d66
              0x01371d6f
              0x01371d73
              0x01371d76
              0x01371d79
              0x01371d7c
              0x01371d7f
              0x01371d82
              0x01371d8a
              0x01371d90
              0x01371d97
              0x01371d9f
              0x01371da7
              0x01371db2
              0x01371db5
              0x01371db9
              0x01371dbf
              0x01371dc4
              0x01371dce
              0x01371de6
              0x01371e07
              0x01371de8
              0x01371de8
              0x01371df0
              0x01371df9
              0x01371df9
              0x01371dd0
              0x01371dd0
              0x01371dd3
              0x01371dd5
              0x01371dd8
              0x01371dd8
              0x01371e17
              0x01371e1d
              0x01371e1f
              0x01371e23
              0x01371e2e
              0x01371e38

              APIs
              • __EH_prolog.LIBCMT ref: 01371D66
                • Part of subcall function 0137399D: __EH_prolog.LIBCMT ref: 013739A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID: CMT
              • API String ID: 3519838083-2756464174
              • Opcode ID: 1eb588a948668af957a07e8ca3709df723522ca12b684f38964d32b2f9b10d36
              • Instruction ID: 3fd31c7c7d4a43e8f4550bd2011099e40295e23cc5aaa838b11e724751a663f6
              • Opcode Fuzzy Hash: 1eb588a948668af957a07e8ca3709df723522ca12b684f38964d32b2f9b10d36
              • Instruction Fuzzy Hash: DB214B72904209AFCB25EF98C9409EEFBF6FF59208F1004A9E859A7650C7365A55CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E01399C64(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				intOrPtr* _t30;
				signed int _t32;

				_t25 = __ecx;
				_push(__ecx);
				_t18 =  *0x13ad668; // 0x5221689b
				_v8 = _t18 ^ _t32;
				_push(__esi);
				_t20 = E01399990(0x16, "LCMapStringEx", 0x13a6084, "LCMapStringEx"); // executed
				_t30 = _t20;
				if(_t30 == 0) {
					_t22 = LCMapStringW(E01399CEC(_t25, _t30, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x13a2260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t30();
				}
				return E0138E203(_t22, _v8 ^ _t32);
			}









              0x01399c64
              0x01399c69
              0x01399c6a
              0x01399c71
              0x01399c74
              0x01399c86
              0x01399c8b
              0x01399c92
              0x01399cd5
              0x01399c94
              0x01399cb1
              0x01399cb7
              0x01399cb7
              0x01399ce9

              APIs
              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 01399CD5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String
              • String ID: LCMapStringEx
              • API String ID: 2568140703-3893581201
              • Opcode ID: 78a8c855572a83023716f3aa01510667c301734b3337071d22eefd4eeca33d67
              • Instruction ID: a8927d9cdd0b0bd8dab325774a9f3e653f05cbe687a6fcd1884b6abc23489708
              • Opcode Fuzzy Hash: 78a8c855572a83023716f3aa01510667c301734b3337071d22eefd4eeca33d67
              • Instruction Fuzzy Hash: B201D33258420DBBCF12AF95DD05EEE3FAAEB08768F454518FE1426160C6768971EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E01399C02(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				intOrPtr* _t19;
				signed int _t21;

				_push(__ecx);
				_t8 =  *0x13ad668; // 0x5221689b
				_v8 = _t8 ^ _t21;
				_t10 = E01399990(0x14, "InitializeCriticalSectionEx", 0x13a607c, 0x13a6084); // executed
				_t19 = _t10;
				if(_t19 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x13a2260(_a4, _a8, _a12);
					_t11 =  *_t19();
				}
				return E0138E203(_t11, _v8 ^ _t21);
			}









              0x01399c07
              0x01399c08
              0x01399c0f
              0x01399c24
              0x01399c29
              0x01399c30
              0x01399c4d
              0x01399c32
              0x01399c3d
              0x01399c43
              0x01399c43
              0x01399c61

              APIs
              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,01399291), ref: 01399C4D
              Strings
              • InitializeCriticalSectionEx, xrefs: 01399C1D
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountCriticalInitializeSectionSpin
              • String ID: InitializeCriticalSectionEx
              • API String ID: 2593887523-3084827643
              • Opcode ID: 95057c9f9f0296ac62654700901dd8f1511944215f0df214bd21a0e0c910e417
              • Instruction ID: 31b68e104d7a2b16d1cd9326c0cccebbccfd61a5a801a1aef81224b8dba4911f
              • Opcode Fuzzy Hash: 95057c9f9f0296ac62654700901dd8f1511944215f0df214bd21a0e0c910e417
              • Instruction Fuzzy Hash: D6F0B431A4520CFBCF25AF65DC05DAE7FA9EB04729F854118FD0516250CA714A60DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399AA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E01399AA7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				intOrPtr* _t15;
				signed int _t17;

				_push(__ecx);
				_t4 =  *0x13ad668; // 0x5221689b
				_v8 = _t4 ^ _t17;
				_t6 = E01399990(3, "FlsAlloc", 0x13a6040, 0x13a6048); // executed
				_t15 = _t6;
				if(_t15 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0x13a2260(_a4);
					_t7 =  *_t15();
				}
				return E0138E203(_t7, _v8 ^ _t17);
			}









              0x01399aac
              0x01399aad
              0x01399ab4
              0x01399ac9
              0x01399ace
              0x01399ad5
              0x01399ae6
              0x01399ad7
              0x01399adc
              0x01399ae2
              0x01399ae2
              0x01399afa

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Alloc
              • String ID: FlsAlloc
              • API String ID: 2773662609-671089009
              • Opcode ID: b0664c4a8b234bc0a9850db0e712cec4e15b894b889da7b78fea49cbf75ed197
              • Instruction ID: f7ba2a0442e005b5a781f17930c806114fbcac1877b53c6c63e4788124a296f6
              • Opcode Fuzzy Hash: b0664c4a8b234bc0a9850db0e712cec4e15b894b889da7b78fea49cbf75ed197
              • Instruction Fuzzy Hash: D6E0E531E85218ABDB30ABA69C06A6FBBA8DB14728F84015DFC1557340CE795E1087C5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139281A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E0139281A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E013926F9(4, "FlsAlloc", 0x13a4394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0138E2DD();
				return  *_t6(_a4);
			}





              0x0139282f
              0x01392834
              0x0139283b
              0x0139284e
              0x0139284e
              0x01392842
              0x0139284b

              APIs
              • try_get_function.LIBVCRUNTIME ref: 0139282F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: try_get_function
              • String ID: FlsAlloc
              • API String ID: 2742660187-671089009
              • Opcode ID: 9c14d5acba8e9522e2a5c3af07a17147b399caa226e236b45ac3587ec24a0aee
              • Instruction ID: 43b7c1aa133a168d20cea8a993cdd3f99a4eb8ad55b80bbea0d489f4031b3c80
              • Opcode Fuzzy Hash: 9c14d5acba8e9522e2a5c3af07a17147b399caa226e236b45ac3587ec24a0aee
              • Instruction Fuzzy Hash: 84D05E22785B29B7DA1032DA6C12AABBE58CB01AB9F890276FF0C65383D5E5942052D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139A873, Relevance: 3.2, APIs: 2, Instructions: 168COMMON
              Download Yara Rule
              C-Code - Quality: 97%
              			E0139A873(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t76;
				signed int _t79;
				signed char* _t80;
				short* _t81;
				int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t48 =  *0x13ad668; // 0x5221689b
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t76 = E0139A446(__eflags, _a4);
				if(_t76 != 0) {
					_t92 = 0;
					__eflags = 0;
					_t79 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x13ad828)) - _t76;
						if( *((intOrPtr*)(_t51 + 0x13ad828)) == _t76) {
							break;
						}
						_t79 = _t79 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t79;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t76 - 0xfde8;
							if(_t76 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t76 - 0xfde9;
								if(_t76 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t76 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t76,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x13d0854 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0139A4B9(_t96);
												goto L37;
											}
										} else {
											E0138E920(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t76;
											 *(_t96 + 0x21c) = _t92;
											_t76 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t86 = _t71[1];
														__eflags = _t86;
														if(_t86 == 0) {
															goto L16;
														}
														_t89 = _t86 & 0x000000ff;
														_t87 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t87 - _t89;
															if(_t87 > _t89) {
																break;
															}
															 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000004;
															_t87 = _t87 + 1;
															__eflags = _t87;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t96 + 0x1a;
												_t85 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t85 = _t85 - 1;
													__eflags = _t85;
												} while (_t85 != 0);
												 *(_t96 + 0x21c) = E0139A408( *(_t96 + 4));
												 *(_t96 + 8) = _t76;
											}
											_t93 = _t96 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0139A51E(_t76, _t89, _t93, _t96, _t96); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0138E920(_t92, _t96 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x13ad838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t80 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t80[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t80 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0x13ad820; // 0x8040201
										 *(_t96 + _t90 + 0x19) =  *(_t96 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t80[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t80 =  &(_t80[2]);
								__eflags =  *_t80;
								if( *_t80 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t76;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E0139A408(_t76);
					_t81 = _t96 + 0xc;
					_t89 = _v36 + 0x13ad82c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t81 = _t58;
						_t81 = _t81 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E0139A4B9(_t96);
					_t60 = 0;
				}
				L39:
				return E0138E203(_t60, _v8 ^ _t97);
			}































              0x0139a87b
              0x0139a882
              0x0139a88a
              0x0139a892
              0x0139a897
              0x0139a8a8
              0x0139a8a8
              0x0139a8aa
              0x0139a8ac
              0x0139a8ae
              0x0139a8b1
              0x0139a8b1
              0x0139a8b7
              0x00000000
              0x00000000
              0x0139a8bd
              0x0139a8be
              0x0139a8c1
              0x0139a8c4
              0x0139a8c9
              0x00000000
              0x0139a8cb
              0x0139a8cb
              0x0139a8d1
              0x0139a99f
              0x0139a99f
              0x0139a8d7
              0x0139a8d7
              0x0139a8dd
              0x00000000
              0x0139a8e3
              0x0139a8e7
              0x0139a8ed
              0x0139a8ef
              0x00000000
              0x0139a8f5
              0x0139a8fa
              0x0139a900
              0x0139a902
              0x0139a98c
              0x0139a992
              0x00000000
              0x0139a994
              0x0139a995
              0x00000000
              0x0139a995
              0x0139a908
              0x0139a912
              0x0139a917
              0x0139a91f
              0x0139a925
              0x0139a926
              0x0139a929
              0x0139a97c
              0x0139a92b
              0x0139a92b
              0x0139a92f
              0x0139a932
              0x0139a934
              0x0139a934
              0x0139a937
              0x0139a939
              0x00000000
              0x00000000
              0x0139a93b
              0x0139a93e
              0x0139a949
              0x0139a949
              0x0139a94b
              0x00000000
              0x00000000
              0x0139a943
              0x0139a948
              0x0139a948
              0x0139a948
              0x0139a94d
              0x0139a950
              0x0139a953
              0x00000000
              0x00000000
              0x00000000
              0x0139a953
              0x0139a934
              0x0139a955
              0x0139a955
              0x0139a958
              0x0139a95d
              0x0139a95d
              0x0139a960
              0x0139a961
              0x0139a961
              0x0139a961
              0x0139a971
              0x0139a977
              0x0139a977
              0x0139a981
              0x0139a984
              0x0139a985
              0x0139a986
              0x0139aa4a
              0x0139aa4b
              0x0139aa50
              0x0139aa51
              0x0139aa51
              0x0139aa51
              0x0139a902
              0x0139a8ef
              0x0139a8dd
              0x0139a8d1
              0x00000000
              0x0139aa53
              0x0139a9b1
              0x0139a9b9
              0x0139a9b9
              0x0139a9bd
              0x0139a9c0
              0x0139a9c6
              0x0139a9c9
              0x0139a9c9
              0x0139a9cc
              0x0139a9ce
              0x0139a9d0
              0x0139a9d0
              0x0139a9d3
              0x0139a9d5
              0x00000000
              0x00000000
              0x0139a9d7
              0x0139a9da
              0x0139a9f6
              0x0139a9f6
              0x0139a9f8
              0x00000000
              0x00000000
              0x0139a9df
              0x0139a9e5
              0x0139a9e7
              0x0139a9ed
              0x0139a9f1
              0x0139a9f1
              0x0139a9f2
              0x00000000
              0x0139a9f2
              0x00000000
              0x0139a9e5
              0x0139a9fa
              0x0139a9fd
              0x0139aa00
              0x00000000
              0x00000000
              0x00000000
              0x0139aa00
              0x0139aa02
              0x0139aa02
              0x0139aa05
              0x0139aa06
              0x0139aa09
              0x0139aa0c
              0x0139aa0c
              0x0139aa12
              0x0139aa15
              0x0139aa24
              0x0139aa2d
              0x0139aa32
              0x0139aa38
              0x0139aa39
              0x0139aa39
              0x0139aa3c
              0x0139aa3f
              0x0139aa42
              0x0139aa45
              0x0139aa45
              0x0139aa45
              0x00000000
              0x0139a899
              0x0139a89a
              0x0139a8a0
              0x0139a8a0
              0x0139aa54
              0x0139aa63

              APIs
                • Part of subcall function 0139A446: GetOEMCP.KERNEL32(00000000,?,?,0139A6CF,?), ref: 0139A471
              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0139A714,?,00000000), ref: 0139A8E7
              • GetCPInfo.KERNEL32(00000000,0139A714,?,?,?,0139A714,?,00000000), ref: 0139A8FA
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CodeInfoPageValid
              • String ID:
              • API String ID: 546120528-0
              • Opcode ID: 70e90d96e2bfeda7b08ccfd29b0a4925a920e277b91a6788d3e6ca573e8b6ed1
              • Instruction ID: e2c86efeeaf6e1e77f5c018a07704f040505a4effc1fcfc7355d274c2280bbcc
              • Opcode Fuzzy Hash: 70e90d96e2bfeda7b08ccfd29b0a4925a920e277b91a6788d3e6ca573e8b6ed1
              • Instruction Fuzzy Hash: 5151447490434A9FEF25CF79C4446BBBFE9FF42218F05826ED1968B241E7389545CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01371382, Relevance: 3.1, APIs: 2, Instructions: 96COMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E01371382(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0138D870(_t56, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E0137943C(_t78);
				 *_t89 = 0x13a22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E01375E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0137C4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0137151B();
				_t62 = E0137151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0138D82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0137AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0138E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0138E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0138E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}















              0x01371382
              0x01371382
              0x01371382
              0x01371382
              0x01371382
              0x01371387
              0x0137138a
              0x0137138c
              0x0137138f
              0x01371396
              0x013713a2
              0x013713a5
              0x013713b0
              0x013713b4
              0x013713bf
              0x013713c5
              0x013713cb
              0x013713d6
              0x013713de
              0x013713e2
              0x013713e5
              0x013713eb
              0x013713f1
              0x013713f3
              0x01371418
              0x013713f5
              0x013713fa
              0x01371400
              0x01371403
              0x01371409
              0x01371414
              0x0137140b
              0x0137140d
              0x0137140d
              0x01371409
              0x0137141b
              0x01371427
              0x0137142e
              0x01371435
              0x0137143e
              0x01371449
              0x01371453
              0x01371459
              0x0137145f
              0x01371465
              0x0137146b
              0x01371471
              0x01371477
              0x0137147e
              0x01371484
              0x0137148a
              0x01371490
              0x01371496
              0x0137149c
              0x013714ab
              0x013714ba
              0x013714c5
              0x013714cd
              0x013714d3
              0x013714d9
              0x013714df
              0x013714e5
              0x013714eb
              0x013714f1
              0x013714fa
              0x01371500
              0x01371506
              0x0137150e
              0x01371518

              APIs
              • __EH_prolog.LIBCMT ref: 01371382
                • Part of subcall function 01375E99: __EH_prolog.LIBCMT ref: 01375E9E
                • Part of subcall function 0137C4CA: __EH_prolog.LIBCMT ref: 0137C4CF
                • Part of subcall function 0137C4CA: new.LIBCMT ref: 0137C512
                • Part of subcall function 0137C4CA: new.LIBCMT ref: 0137C536
              • new.LIBCMT ref: 013713FA
                • Part of subcall function 0137AD1B: __EH_prolog.LIBCMT ref: 0137AD20
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 463f5f32240ebbda4182d7d1898cbe058d7014c301b6b8cabfa7a0243898c849
              • Instruction ID: 20a9acd7b916335beed9422d0f5682e0c854f1d1cc438785f0491df6cad61894
              • Opcode Fuzzy Hash: 463f5f32240ebbda4182d7d1898cbe058d7014c301b6b8cabfa7a0243898c849
              • Instruction Fuzzy Hash: C14133B1805B419EE724DF798484AE6FBF5FF28314F404A6EC5EE83281CB366654CB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137137D, Relevance: 3.1, APIs: 2, Instructions: 94COMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E0137137D(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0138D870(E013A1157, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E0137943C(_t78);
				 *_t89 = 0x13a22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E01375E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0137C4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0137151B();
				_t62 = E0137151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0138D82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0137AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0138E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0138E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0138E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}














              0x0137137d
              0x0137137d
              0x0137137d
              0x0137137d
              0x01371382
              0x01371387
              0x0137138a
              0x0137138c
              0x0137138f
              0x01371396
              0x013713a2
              0x013713a5
              0x013713b0
              0x013713b4
              0x013713bf
              0x013713c5
              0x013713cb
              0x013713d6
              0x013713de
              0x013713e2
              0x013713e5
              0x013713eb
              0x013713f1
              0x013713f3
              0x01371418
              0x013713f5
              0x013713fa
              0x01371400
              0x01371403
              0x01371409
              0x01371414
              0x0137140b
              0x0137140d
              0x0137140d
              0x01371409
              0x0137141b
              0x01371427
              0x0137142e
              0x01371435
              0x0137143e
              0x01371449
              0x01371453
              0x01371459
              0x0137145f
              0x01371465
              0x0137146b
              0x01371471
              0x01371477
              0x0137147e
              0x01371484
              0x0137148a
              0x01371490
              0x01371496
              0x0137149c
              0x013714ab
              0x013714ba
              0x013714c5
              0x013714cd
              0x013714d3
              0x013714d9
              0x013714df
              0x013714e5
              0x013714eb
              0x013714f1
              0x013714fa
              0x01371500
              0x01371506
              0x0137150e
              0x01371518

              APIs
              • __EH_prolog.LIBCMT ref: 01371382
                • Part of subcall function 01375E99: __EH_prolog.LIBCMT ref: 01375E9E
                • Part of subcall function 0137C4CA: __EH_prolog.LIBCMT ref: 0137C4CF
                • Part of subcall function 0137C4CA: new.LIBCMT ref: 0137C512
                • Part of subcall function 0137C4CA: new.LIBCMT ref: 0137C536
              • new.LIBCMT ref: 013713FA
                • Part of subcall function 0137AD1B: __EH_prolog.LIBCMT ref: 0137AD20
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 194b8a16c5c195339551d59e18602f764dfe95c0e92a47d133deaef0bda8444d
              • Instruction ID: cf9c197525ddab8e99dec25089b50be528208531c7521e33ec9b27a9f41688f7
              • Opcode Fuzzy Hash: 194b8a16c5c195339551d59e18602f764dfe95c0e92a47d133deaef0bda8444d
              • Instruction Fuzzy Hash: C74122B1805B419EE724DF798484AE6FBE5FF28314F844A6EC5EE83281CB366554CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139A6B2, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E0139A6B2(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E01398516(__ebx, __ecx, __edx);
				E0139A7D1(__ebx, __ecx, __edx, _t81);
				_t31 = E0139A446(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E01397A8A(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0139A873(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E01397847();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x13adb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x13adb20) {
								E01397A50( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x13adda0 & 0x00000001;
							if(( *0x13adda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0139A31C(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x13add40; // 0x1422310
									 *0x13ad814 = _t44;
								}
							}
						}
						L6:
						E01397A50(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E01397ECC())) = 0x16;
						goto L5;
					}
				}
			}


















              0x0139a6b2
              0x0139a6bf
              0x0139a6c2
              0x0139a6ca
              0x0139a6d3
              0x0139a6d6
              0x0139a6dc
              0x00000000
              0x0139a6de
              0x0139a6e2
              0x0139a6ef
              0x0139a6f1
              0x0139a6f5
              0x0139a6f7
              0x0139a727
              0x0139a727
              0x00000000
              0x0139a6f9
              0x0139a706
              0x0139a70c
              0x0139a70f
              0x0139a714
              0x0139a718
              0x0139a71a
              0x0139a739
              0x0139a73d
              0x0139a73f
              0x0139a73f
              0x0139a74a
              0x0139a74e
              0x0139a74f
              0x0139a751
              0x0139a754
              0x0139a75b
              0x0139a760
              0x0139a765
              0x0139a75b
              0x0139a766
              0x0139a76c
              0x0139a771
              0x0139a773
              0x0139a776
              0x0139a779
              0x0139a780
              0x0139a782
              0x0139a789
              0x0139a78e
              0x0139a797
              0x0139a79c
              0x0139a7a2
              0x0139a7a4
              0x0139a7a9
              0x0139a7a9
              0x0139a7a2
              0x0139a789
              0x0139a729
              0x0139a72a
              0x00000000
              0x0139a71c
              0x0139a721
              0x00000000
              0x0139a721
              0x0139a71a

              APIs
                • Part of subcall function 01398516: GetLastError.KERNEL32(?,013B00E0,01393394,013B00E0,?,?,01392E0F,?,?,013B00E0), ref: 0139851A
                • Part of subcall function 01398516: _free.LIBCMT ref: 0139854D
                • Part of subcall function 01398516: SetLastError.KERNEL32(00000000,?,013B00E0), ref: 0139858E
                • Part of subcall function 01398516: _abort.LIBCMT ref: 01398594
                • Part of subcall function 0139A7D1: _abort.LIBCMT ref: 0139A803
                • Part of subcall function 0139A7D1: _free.LIBCMT ref: 0139A837
                • Part of subcall function 0139A446: GetOEMCP.KERNEL32(00000000,?,?,0139A6CF,?), ref: 0139A471
              • _free.LIBCMT ref: 0139A72A
              • _free.LIBCMT ref: 0139A760
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorLast_abort
              • String ID:
              • API String ID: 2991157371-0
              • Opcode ID: b36172fb0f97316857be1e4f32e559305c08d8baa7bade131c43c016b7f7729d
              • Instruction ID: 88df25b7c05f4d102c8b9188df25931d351779e1cbd9bc79270dd419b4bc1ba5
              • Opcode Fuzzy Hash: b36172fb0f97316857be1e4f32e559305c08d8baa7bade131c43c016b7f7729d
              • Instruction Fuzzy Hash: 8A31F531904209AFDF11EFECD481BADBBF5EF40368F254299E8059B291EB319E40CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379528, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01379528(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0138D940();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0137B927(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0137B32C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0137FAB1(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}












              0x0137952d
              0x01379533
              0x01379540
              0x01379542
              0x01379548
              0x01379556
              0x01379556
              0x01379550
              0x01379550
              0x01379550
              0x01379560
              0x01379575
              0x0137957e
              0x01379584
              0x0137958e
              0x00000000
              0x01379590
              0x01379590
              0x01379594
              0x01379596
              0x01379596
              0x0137959c
              0x0137959c
              0x0137959c
              0x013795a0
              0x013795a0
              0x013795b0
              0x013795b6
              0x013795b6
              0x013795bd
              0x013795eb
              0x013795eb
              0x013795fd
              0x01379602
              0x01379605
              0x0137961e

              APIs
              • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,01379BF3,?,?,013776AC), ref: 013795B0
              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,01379BF3,?,?,013776AC), ref: 013795E5
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 13f3e138b18090331d66deb604f079d4171fbf59e615b64754ba730a388a6f47
              • Instruction ID: 6a60b5dc003396b330628400d94fd9fdf57a12bac48c13a7c5364f2eb48f9bb3
              • Opcode Fuzzy Hash: 13f3e138b18090331d66deb604f079d4171fbf59e615b64754ba730a388a6f47
              • Instruction Fuzzy Hash: 1C21F3B1004749EFE7318F58C844BA7BBEDEB4937CF004A2DF5E5821D2C278A9488B61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379A7E, Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E01379A7E(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E0138082F(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E0138082F(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E0138082F(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}















              0x01379a7e
              0x01379a84
              0x01379a8d
              0x01379a98
              0x01379a98
              0x01379a9e
              0x01379aa4
              0x01379aa7
              0x01379ab4
              0x01379ab0
              0x01379ab0
              0x01379ab0
              0x01379ab6
              0x01379ab7
              0x01379abb
              0x01379ac1
              0x01379ace
              0x01379ace
              0x01379ac3
              0x01379ac8
              0x01379acc
              0x00000000
              0x00000000
              0x01379acc
              0x01379ad3
              0x01379ad9
              0x01379ae3
              0x01379ae3
              0x01379ae7
              0x01379aee
              0x01379aee
              0x01379af8
              0x01379b01
              0x01379b01
              0x01379b09
              0x01379b12
              0x01379b12
              0x01379b22
              0x01379b30
              0x01379b40
              0x01379b48
              0x01379b54

              APIs
              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,0137738C,?,?,?), ref: 01379A98
              • SetFileTime.KERNELBASE(?,?,?,?), ref: 01379B48
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$BuffersFlushTime
              • String ID:
              • API String ID: 1392018926-0
              • Opcode ID: b3fdda0be66bee4c183e1e9b2a746202beb17a486e9825cc5720ee735a86e10c
              • Instruction ID: 3469cd0dc617895b4d620bf28df532af34ba86ef4ebddb8e7d4e969604e84741
              • Opcode Fuzzy Hash: b3fdda0be66bee4c183e1e9b2a746202beb17a486e9825cc5720ee735a86e10c
              • Instruction Fuzzy Hash: 37210731659346AFEB65EF28C481BA7BFD8AF5121CF040A1CB880C7141D729D90CC791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399990, Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E01399990(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x13d07b8 + _a4 * 4;
				_t27 =  *0x13ad668; // 0x5221689b
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x13ad668; // 0x5221689b
							goto L13;
						}
						 *_t20 = E0138DB10(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E01399A2C( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x13ad668; // 0x5221689b
						goto L7;
					}
					_t27 =  *0x13ad668; // 0x5221689b
					goto L8;
				}
				L2:
				return _t33;
			}










              0x0139999b
              0x013999a4
              0x013999aa
              0x013999b4
              0x013999b6
              0x013999ba
              0x01399a25
              0x00000000
              0x01399a25
              0x013999be
              0x013999c4
              0x013999ca
              0x013999e6
              0x013999e6
              0x013999e8
              0x013999ea
              0x01399a15
              0x01399a17
              0x01399a1f
              0x01399a23
              0x00000000
              0x01399a23
              0x013999f6
              0x013999fa
              0x01399a0f
              0x00000000
              0x01399a0f
              0x01399a03
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x013999cc
              0x013999cc
              0x013999ce
              0x013999d6
              0x00000000
              0x00000000
              0x013999d8
              0x013999de
              0x00000000
              0x00000000
              0x013999e0
              0x00000000
              0x013999e0
              0x01399a07
              0x00000000
              0x01399a07
              0x013999c0
              0x00000000

              APIs
              • GetProcAddress.KERNEL32(00000000,?), ref: 013999F0
              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 013999FD
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc__crt_fast_encode_pointer
              • String ID:
              • API String ID: 2279764990-0
              • Opcode ID: 75c518a949eed13d5a7127716a2704ab44eb01f1a23e9e1b086ce9b489db90f0
              • Instruction ID: b8ebf491df2429464fecbda46d38a65d2a1e9f4d0caab05533d021a516865123
              • Opcode Fuzzy Hash: 75c518a949eed13d5a7127716a2704ab44eb01f1a23e9e1b086ce9b489db90f0
              • Instruction Fuzzy Hash: 0E11E733A011225BEF36DE6CEC40A9A7799EB8133CB464124ED18AB688D734DC01C7D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379B57, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E01379B57() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E01376DE2(0x13b00e0, 0x13b00e0, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E01376DE2(0x13b00e0, 0x13b00e0, _t34 + 0x1e);
				goto L3;
			}













              0x01379b5b
              0x01379b5d
              0x01379b68
              0x01379b7b
              0x01379b7b
              0x01379b8d
              0x01379b93
              0x01379b97
              0x01379bb4
              0x01379bba
              0x01379bbf
              0x01379bc1
              0x00000000
              0x01379ba3
              0x01379ba7
              0x01379bd0
              0x01379bc4
              0x00000000
              0x01379bc4
              0x01379baf
              0x00000000
              0x01379baf
              0x01379b97
              0x01379b6e
              0x00000000
              0x01379bcc
              0x01379b76
              0x00000000

              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 01379B8D
              • GetLastError.KERNEL32 ref: 01379B99
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: ef6f9fe1580de3112f0c06a57f95d04f115dab6adaad59f3d4e509e1440412ea
              • Instruction ID: 41bb2215a259667bf08edd46cdef5c33051690aa0b3ef9f8faeb9e8cfee54a1e
              • Opcode Fuzzy Hash: ef6f9fe1580de3112f0c06a57f95d04f115dab6adaad59f3d4e509e1440412ea
              • Instruction Fuzzy Hash: C20152B17052046BE7349E29DC8477BB7DEAB8522DF94463EB642C26C0DA79D848C721
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379903, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E01379903(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						if(_t21 != 1) {
							_t17 = E013796E1(_t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}











              0x01379907
              0x0137990d
              0x01379972
              0x00000000
              0x01379972
              0x01379910
              0x01379914
              0x01379917
              0x01379919
              0x01379943
              0x01379921
              0x01379921
              0x01379926
              0x0137992d
              0x01379936
              0x0137992f
              0x01379931
              0x01379931
              0x0137993b
              0x0137993d
              0x0137993f
              0x0137993f
              0x01379926
              0x01379948
              0x01379957
              0x01379962
              0x00000000
              0x0137996e
              0x00000000
              0x0137996e

              APIs
              • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 01379957
              • GetLastError.KERNEL32 ref: 01379964
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: b53277252c529143a171cbe3d126b102d30402bb742f1f005e096ff6c0040b04
              • Instruction ID: a068fcb906131272c648c3f65ddaf82d02c6df8bf763c637d917072a54b7c4fa
              • Opcode Fuzzy Hash: b53277252c529143a171cbe3d126b102d30402bb742f1f005e096ff6c0040b04
              • Instruction Fuzzy Hash: 5C017572214117DBEB39CE698C447BF775DAF4623C705431DE9268B255DA34D811C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01397B78, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E01397B78(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x13d0874, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E01397906();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E01396763(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E01397ECC())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E01397A50(_t14);
					goto L6;
				}
				_t9 = E01397A8A(__ecx, _a8); // executed
				return _t9;
			}










              0x01397b78
              0x01397b78
              0x01397b7e
              0x01397b83
              0x01397b91
              0x01397b94
              0x01397b96
              0x01397ba1
              0x01397ba4
              0x01397bcb
              0x01397bd5
              0x01397bdb
              0x01397bdd
              0x00000000
              0x00000000
              0x01397bbc
              0x01397bbe
              0x00000000
              0x00000000
              0x01397bc1
              0x01397bc6
              0x01397bc7
              0x01397bc9
              0x00000000
              0x00000000
              0x01397bc9
              0x01397bb3
              0x00000000
              0x01397bb3
              0x01397ba6
              0x01397bab
              0x01397bb1
              0x01397bb1
              0x01397bb1
              0x00000000
              0x01397bb1
              0x01397b99
              0x00000000
              0x01397b9e
              0x01397b88
              0x00000000

              APIs
              • _free.LIBCMT ref: 01397B99
                • Part of subcall function 01397A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,01392FA6,?,0000015D,?,?,?,?,01394482,000000FF,00000000,?,?), ref: 01397ABC
              • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,013B00E0,0137CB18,?,?,?,?,?,?), ref: 01397BD5
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap$_free
              • String ID:
              • API String ID: 1482568997-0
              • Opcode ID: 82d9d7292f76e92ca5550fa860fddb49e02e44e5f4604b19dd28c605749fa171
              • Instruction ID: fb06c8cfbc9d9dad44ae89d2d455bf37024e85ce13f8bbfeda446833a8e17f9f
              • Opcode Fuzzy Hash: 82d9d7292f76e92ca5550fa860fddb49e02e44e5f4604b19dd28c605749fa171
              • Instruction Fuzzy Hash: 43F0623252111BAAEF267A2D9C45F6F3B9C9F91ABCF154156EE18A61D0DB30D8008DA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01380574, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01380574(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}









              0x01380588
              0x01380590
              0x00000000
              0x01380592
              0x01380597
              0x0138059b
              0x0138059e
              0x013805a0
              0x013805a2
              0x013805a4
              0x013805a4
              0x013805a5
              0x013805a5
              0x013805ac
              0x00000000
              0x013805ae
              0x013805b3

              APIs
              • GetCurrentProcess.KERNEL32(?,?), ref: 01380581
              • GetProcessAffinityMask.KERNEL32(00000000), ref: 01380588
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$AffinityCurrentMask
              • String ID:
              • API String ID: 1231390398-0
              • Opcode ID: fe07be4cdf61f8ede4b2174793294ec17b5e6fb25d4af3e5072ecb3e93efea6f
              • Instruction ID: ce4eb432065529404b056edb5c74b1b38becb5694236f9fbf49a373bd5cd0535
              • Opcode Fuzzy Hash: fe07be4cdf61f8ede4b2174793294ec17b5e6fb25d4af3e5072ecb3e93efea6f
              • Instruction Fuzzy Hash: BEE09B32E18309E7DB1D97A898058AB779ED648219B205179B942E3700F934DD0547B4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137A12F, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E0137A12F(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0138D940();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0137B32C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}







              0x0137a137
              0x0137a13c
              0x0137a143
              0x0137a14b
              0x0137a150
              0x0137a17c
              0x0137a17c
              0x0137a185

              APIs
              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,01379F65,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 0137A143
              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,01379F65,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 0137A174
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: a75eca7139637db35d8e640d38208783d0bbb761fd703f4b3353559db664c7a5
              • Instruction ID: 6acb40f5aef40702032842ffa853c46c534c4458bd0202c0ef28e31e08daee72
              • Opcode Fuzzy Hash: a75eca7139637db35d8e640d38208783d0bbb761fd703f4b3353559db664c7a5
              • Instruction Fuzzy Hash: 43F0303118020AABEF22AE64DC40FEB776DAB14386F888055FD8C96154DB72D9D9EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138CB57, Relevance: 3.0, APIs: 2, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText_swprintf
              • String ID:
              • API String ID: 3011073432-0
              • Opcode ID: ea152781ac34dd647f517c82a474d0aa83886cc3fa3beef6297cbed2c062586f
              • Instruction ID: a1e4243fc074de63a9f2a650c864bbdd1473387bb4b726f95f2eb60796648c69
              • Opcode Fuzzy Hash: ea152781ac34dd647f517c82a474d0aa83886cc3fa3beef6297cbed2c062586f
              • Instruction Fuzzy Hash: A1F0E5325043497BEB22BBB89C05FDA3B1DEB04749F440496BB04621D1E6756A209771
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379E18, Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E01379E18(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0138D940();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0137B32C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}







              0x01379e20
              0x01379e25
              0x01379e29
              0x01379e31
              0x01379e36
              0x01379e5f
              0x01379e5f
              0x01379e68

              APIs
              • DeleteFileW.KERNELBASE(?,?,?,01379648,?,?,013794A3), ref: 01379E29
              • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,01379648,?,?,013794A3), ref: 01379E57
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: 7581e35b562674997eaa88ce722cd4b5d5f22d151b006c50e319d646a98a1f05
              • Instruction ID: 3bbefead24b4f4e1c0a951f49e6e12ec5a8343d438f2f42d6989dd7ad580c610
              • Opcode Fuzzy Hash: 7581e35b562674997eaa88ce722cd4b5d5f22d151b006c50e319d646a98a1f05
              • Instruction Fuzzy Hash: A7E092315812096BEB21AE64DC44FEA776DAB08395F884062BD8CC2154DB71DDD5EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379E7F, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01379E7F(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0138D940();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0137B32C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}







              0x01379e87
              0x01379e90
              0x01379e96
              0x01379e9b
              0x01379ebc
              0x01379ec2
              0x01379ec2
              0x01379eca

              APIs
              • GetFileAttributesW.KERNELBASE(?,?,?,01379E74,?,013774F7,?,?,?,?), ref: 01379E90
              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,01379E74,?,013774F7,?,?,?,?), ref: 01379EBC
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 8470d931d21cde44dfbb2c77789f027ea1f8a38f17d9c7e3fcb9a694cb3c3a97
              • Instruction ID: cc9e2e0d70042479cb2b38633e33ef281bcc250185dd1b03eef65d1954cfadbe
              • Opcode Fuzzy Hash: 8470d931d21cde44dfbb2c77789f027ea1f8a38f17d9c7e3fcb9a694cb3c3a97
              • Instruction Fuzzy Hash: 3BE09B315001185BDB31AA6CDC04BD9B79D9B093F5F4042A1FD98D31C4D6709D4587D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137FCFD, Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0137FCFD(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0138D940();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0137B625( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}





              0x0137fd05
              0x0137fd18
              0x0137fd20
              0x0137fd2e
              0x0137fd3a
              0x0137fd3a
              0x0137fd44

              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0137FD18
              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0137E7F6,Crypt32.dll,?,0137E878,?,0137E85C,?,?,?,?), ref: 0137FD3A
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectoryLibraryLoadSystem
              • String ID:
              • API String ID: 1175261203-0
              • Opcode ID: 851edbf8c689905884435db0439bf50be780d8d567ad21f70f96802e89d7c045
              • Instruction ID: 9bbc7ea40efc7878f60f0ca9936a6c1881d6010f68dd486325ebf7f5fd482b0a
              • Opcode Fuzzy Hash: 851edbf8c689905884435db0439bf50be780d8d567ad21f70f96802e89d7c045
              • Instruction Fuzzy Hash: 94E0127690011C6ADB21AA999C08FEB776DEF08391F4400A5BA48D2008DA78DA44CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138938E, Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E0138938E(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x13a3398;
				if(_a8 == 0) {
					L0138D80E(); // executed
				} else {
					L0138D814();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}






              0x01389391
              0x01389393
              0x01389395
              0x01389398
              0x0138939b
              0x013893a3
              0x013893a4
              0x013893a7
              0x013893ad
              0x013893b6
              0x013893af
              0x013893af
              0x013893af
              0x013893bb
              0x013893c1
              0x013893ca

              APIs
              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 013893AF
              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 013893B6
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: BitmapCreateFromGdipStream
              • String ID:
              • API String ID: 1918208029-0
              • Opcode ID: 6e69daf9d88e8f6942dd47939d3d18f1fe59719ef58a1a08c7436c366bc3ab49
              • Instruction ID: 806b5fd77576d23685be98f2ad0d6256c7ddd1ba51475d03b0d99efe31ff73e3
              • Opcode Fuzzy Hash: 6e69daf9d88e8f6942dd47939d3d18f1fe59719ef58a1a08c7436c366bc3ab49
              • Instruction Fuzzy Hash: 7CE0ED71915318EBDB20EF99C5057A9BBF8EB44229F10805AE84993740D6B1AE049BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389B08, Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E01389B08(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0x13b75c0; // 0x754ec100
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E013A1161, 0xffffffff);
				L0138D826(); // executed
				_t7 =  *0x13adff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}








              0x01389b19
              0x01389b20
              0x01389b2b
              0x01389b31
              0x01389b36
              0x01389b3f
              0x01389b4a

              APIs
              • GdiplusShutdown.GDIPLUS(?,?,?,013A1161,000000FF), ref: 01389B31
              • OleUninitialize.OLE32(?,?,?,013A1161,000000FF), ref: 01389B36
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: GdiplusShutdownUninitialize
              • String ID:
              • API String ID: 3856339756-0
              • Opcode ID: 20972b6b0b24d1dca76cf27fefe4719fb091b78ecad3d1b89a8e5a4431f0baae
              • Instruction ID: b036712e12df66fe8901b37016fe7bf5fe1d1ca2b178b837bc5fd845222c983f
              • Opcode Fuzzy Hash: 20972b6b0b24d1dca76cf27fefe4719fb091b78ecad3d1b89a8e5a4431f0baae
              • Instruction Fuzzy Hash: 5FE01A32554644DFC720DB98D845B56BBACFB48B20F00476AF91983B94DB356800CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01391726, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E01391726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E0139281A(__eflags, E0139166A); // executed
				 *0x13ad680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E013928C8(__eflags, _t1, 0x13d01dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E01391759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}






              0x0139172b
              0x01391730
              0x01391739
              0x01391744
              0x0139174a
              0x0139174b
              0x0139174d
              0x01391758
              0x0139174f
              0x0139174f
              0x00000000
              0x0139174f
              0x0139173b
              0x0139173b
              0x0139173d
              0x0139173d

              APIs
                • Part of subcall function 0139281A: try_get_function.LIBVCRUNTIME ref: 0139282F
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01391744
              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0139174F
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
              • String ID:
              • API String ID: 806969131-0
              • Opcode ID: 30847ca19b36a49abdb9eb34969f5a6883705f7be5b14e9d8581145d06f87d21
              • Instruction ID: a8031b63841f68734d13fcadb9d347e6309e6640db4ac096adb9d49a2d6eface
              • Opcode Fuzzy Hash: 30847ca19b36a49abdb9eb34969f5a6883705f7be5b14e9d8581145d06f87d21
              • Instruction Fuzzy Hash: 49D02229A48B0328CF043ABC781085F1B8C88229BC7E04B4AF030FE9C2EF3080036225
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013712B2, Relevance: 3.0, APIs: 2, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E013712B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}




              0x013712b9
              0x013712ce
              0x013712d4

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemShowWindow
              • String ID:
              • API String ID: 3351165006-0
              • Opcode ID: 9a28cb33b1416f1ca548fe235fee480f6cfa620fb14e013e823b17a0818f8957
              • Instruction ID: e311243b2b0b519720bbd2b17f7d48a43f8d0b9e721c37c0b66fec0199e74696
              • Opcode Fuzzy Hash: 9a28cb33b1416f1ca548fe235fee480f6cfa620fb14e013e823b17a0818f8957
              • Instruction Fuzzy Hash: 78C01272058200BECB011BB0DC09D2FBBACABA4312F04C908F0A5C0098CA38C014DB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01371973, Relevance: 1.8, APIs: 1, Instructions: 285COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E01371973(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t138;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t159;
				void* _t160;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t175;
				void* _t176;
				signed int _t178;
				char* _t190;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr* _t199;
				signed int _t202;
				void* _t204;
				char* _t205;
				intOrPtr _t206;
				void* _t207;

				_t197 = __edx;
				_t169 = __ecx;
				E0138D870(E013A1451, _t207);
				_t199 = _t169;
				_push(7);
				_t164 = _t199 + 0x21f8;
				_push(_t199 + 0x21f8);
				 *((char*)(_t199 + 0x6cbc)) = 0;
				 *((char*)(_t199 + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *_t199 + 0xc))() == 7) {
					 *(_t199 + 0x6cc0) =  *(_t199 + 0x6cc0) & 0x00000000;
					_t106 = E01371D09(_t164, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E01376ED7(_t207 - 0x38, 0x200000);
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						_t109 =  *((intOrPtr*)( *_t199 + 0x14))();
						_t197 =  *_t199;
						 *((intOrPtr*)(_t207 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t197 + 0xc))( *((intOrPtr*)(_t207 - 0x38)),  *((intOrPtr*)(_t207 - 0x34)) + 0xfffffff0);
						_t175 = _t110;
						_t202 = 0;
						 *(_t207 - 0x14) = _t175;
						_t166 = 1;
						__eflags = _t175;
						if(_t175 <= 0) {
							L22:
							__eflags =  *(_t199 + 0x6cc0);
							_t176 = _t207 - 0x38;
							if( *(_t199 + 0x6cc0) != 0) {
								_t37 = _t207 - 4; // executed
								 *_t37 =  *(_t207 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E0137159C(_t176); // executed
								L25:
								_t112 =  *(_t199 + 0x6cb0);
								__eflags = _t112 - 4;
								if(__eflags != 0) {
									__eflags = _t112 - 3;
									if(_t112 != 3) {
										 *((intOrPtr*)(_t199 + 0x2200)) = 7;
										L32:
										 *((char*)(_t207 - 0xd)) = 0;
										__eflags = E0137391A(_t199, _t197);
										 *(_t207 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t116 =  *((intOrPtr*)(_t207 - 0xd));
											L39:
											_t178 =  *((intOrPtr*)(_t199 + 0x6cc5));
											__eflags = _t178;
											if(_t178 == 0) {
												L41:
												__eflags =  *((char*)(_t199 + 0x6cc4));
												if( *((char*)(_t199 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t178;
													if(__eflags == 0) {
														E0137134C(__eflags, 0x1b, _t199 + 0x1e);
													}
													__eflags =  *((char*)(_t207 + 8));
													if( *((char*)(_t207 + 8)) != 0) {
														L48:
														__eflags =  *(_t207 - 0xe);
														 *((char*)(_t199 + 0x6cb6)) =  *((intOrPtr*)(_t199 + 0x2224));
														if( *(_t207 - 0xe) == 0) {
															L69:
															__eflags =  *((char*)(_t199 + 0x6cb5));
															if( *((char*)(_t199 + 0x6cb5)) == 0) {
																L71:
																E0137FAB1(_t199 + 0x6cfa, _t199 + 0x1e, 0x800);
																L72:
																_t119 = _t166;
																goto L73;
															}
															__eflags =  *((char*)(_t199 + 0x6cb9));
															if( *((char*)(_t199 + 0x6cb9)) == 0) {
																goto L72;
															}
															goto L71;
														}
														__eflags =  *((char*)(_t199 + 0x21e0));
														if( *((char*)(_t199 + 0x21e0)) == 0) {
															L51:
															_t204 =  *((intOrPtr*)( *_t199 + 0x14))();
															 *((intOrPtr*)(_t207 - 0x24)) = _t197;
															 *((intOrPtr*)(_t207 + 8)) =  *((intOrPtr*)(_t199 + 0x6ca0));
															 *((intOrPtr*)(_t207 - 0x18)) =  *((intOrPtr*)(_t199 + 0x6ca4));
															 *(_t207 - 0x14) =  *(_t199 + 0x6ca8);
															 *((intOrPtr*)(_t207 - 0x1c)) =  *((intOrPtr*)(_t199 + 0x6cac));
															 *((intOrPtr*)(_t207 - 0x20)) =  *((intOrPtr*)(_t199 + 0x21dc));
															while(1) {
																_t127 = E0137391A(_t199, _t197);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t199 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t199 + 0x6cb5));
																		if( *((char*)(_t199 + 0x6cb5)) == 0) {
																			L66:
																			_t129 = 0;
																			__eflags = 0;
																			L67:
																			 *((char*)(_t199 + 0x6cb9)) = _t129;
																			L68:
																			 *((intOrPtr*)(_t199 + 0x6ca0)) =  *((intOrPtr*)(_t207 + 8));
																			 *((intOrPtr*)(_t199 + 0x6ca4)) =  *((intOrPtr*)(_t207 - 0x18));
																			 *(_t199 + 0x6ca8) =  *(_t207 - 0x14);
																			 *((intOrPtr*)(_t199 + 0x6cac)) =  *((intOrPtr*)(_t207 - 0x1c));
																			 *((intOrPtr*)(_t199 + 0x21dc)) =  *((intOrPtr*)(_t207 - 0x20));
																			 *((intOrPtr*)( *_t199 + 0x10))(_t204,  *((intOrPtr*)(_t207 - 0x24)), 0);
																			goto L69;
																		}
																		__eflags =  *((char*)(_t199 + 0x3318));
																		if( *((char*)(_t199 + 0x3318)) != 0) {
																			goto L66;
																		}
																		_t129 = _t166;
																		goto L67;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L68;
																	}
																	L60:
																	E01371E3B(_t199);
																	continue;
																}
																__eflags =  *((char*)(_t199 + 0x6cb5));
																if( *((char*)(_t199 + 0x6cb5)) == 0) {
																	L56:
																	_t138 = 0;
																	__eflags = 0;
																	L57:
																	 *((char*)(_t199 + 0x6cb9)) = _t138;
																	goto L60;
																}
																__eflags =  *((char*)(_t199 + 0x5668));
																if( *((char*)(_t199 + 0x5668)) != 0) {
																	goto L56;
																}
																_t138 = _t166;
																goto L57;
															}
															goto L68;
														}
														__eflags =  *((char*)(_t199 + 0x6cbc));
														if( *((char*)(_t199 + 0x6cbc)) != 0) {
															goto L69;
														}
														goto L51;
													} else {
														L46:
														_t119 = 0;
														L73:
														L74:
														 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
														return _t119;
													}
												}
												__eflags = _t116;
												if(_t116 != 0) {
													goto L48;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t207 + 8));
											if( *((char*)(_t207 + 8)) == 0) {
												goto L46;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t207 - 0xd)) = 0;
										while(1) {
											E01371E3B(_t199);
											_t143 =  *((intOrPtr*)(_t199 + 0x21dc));
											__eflags = _t143 - _t166;
											if(_t143 == _t166) {
												break;
											}
											__eflags =  *((char*)(_t199 + 0x21e0));
											if( *((char*)(_t199 + 0x21e0)) == 0) {
												L37:
												_t144 = E0137391A(_t199, _t197);
												__eflags = _t144;
												_t145 = _t144 & 0xffffff00 | _t144 != 0x00000000;
												 *(_t207 - 0xe) = _t145;
												__eflags = _t145 - 1;
												if(_t145 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t143 - 4;
											if(_t143 == 4) {
												break;
											}
											goto L37;
										}
										_t116 = _t166;
										goto L39;
									}
									_t205 = _t199 + 0x21ff;
									_t147 =  *((intOrPtr*)( *_t199 + 0xc))(_t205, _t166);
									__eflags = _t147 - _t166;
									if(_t147 != _t166) {
										goto L46;
									}
									__eflags =  *_t205;
									if( *_t205 != 0) {
										goto L46;
									}
									 *((intOrPtr*)(_t199 + 0x2200)) = 8;
									goto L32;
								}
								E0137134C(__eflags, 0x3c, _t199 + 0x1e);
								goto L46;
							}
							E0137159C(_t176);
							goto L46;
						} else {
							goto L6;
						}
						do {
							L6:
							_t190 =  *((intOrPtr*)(_t207 - 0x38)) + _t202;
							__eflags =  *_t190 - 0x52;
							if( *_t190 != 0x52) {
								goto L17;
							}
							_t152 = E01371D09(_t190, _t110 - _t202);
							__eflags = _t152;
							if(_t152 == 0) {
								L16:
								_t110 =  *(_t207 - 0x14);
								goto L17;
							}
							_t191 =  *((intOrPtr*)(_t207 - 0x18));
							 *(_t199 + 0x6cb0) = _t152;
							__eflags = _t152 - _t166;
							if(_t152 != _t166) {
								L19:
								_t197 =  *_t199;
								_t153 = _t202 + _t191;
								 *(_t199 + 0x6cc0) = _t153;
								 *((intOrPtr*)(_t197 + 0x10))(_t153, 0, 0);
								_t155 =  *(_t199 + 0x6cb0);
								__eflags = _t155 - 2;
								if(_t155 == 2) {
									L21:
									 *((intOrPtr*)( *_t199 + 0xc))(_t199 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t155 - 3;
								if(_t155 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t202;
							if(_t202 <= 0) {
								goto L19;
							}
							__eflags = _t191 - 0x1c;
							if(_t191 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t207 - 0x14) - 0x1f;
							if( *(_t207 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t159 =  *((intOrPtr*)(_t207 - 0x38)) - _t191;
							__eflags =  *((char*)(_t159 + 0x1c)) - 0x52;
							if( *((char*)(_t159 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1d)) - 0x53;
							if( *((char*)(_t159 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1e)) - 0x46;
							if( *((char*)(_t159 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1f)) - 0x58;
							if( *((char*)(_t159 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t202 = _t202 + 1;
							__eflags = _t202 - _t110;
						} while (_t202 < _t110);
						goto L22;
					}
					 *(_t199 + 0x6cb0) = _t106;
					_t166 = 1;
					__eflags = _t106 - 1;
					if(_t106 == 1) {
						_t206 =  *_t199;
						_t160 =  *((intOrPtr*)(_t206 + 0x14))(0);
						asm("sbb edx, 0x0");
						 *((intOrPtr*)(_t206 + 0x10))(_t160 - 7, _t197);
					}
					goto L25;
				}
				_t119 = 0;
				goto L74;
			}




































              0x01371973
              0x01371973
              0x01371978
              0x01371982
              0x01371984
              0x01371988
              0x0137198e
              0x0137198f
              0x01371996
              0x013719a3
              0x013719ac
              0x013719b7
              0x013719bc
              0x013719be
              0x013719f4
              0x013719fd
              0x01371a01
              0x01371a07
              0x01371a12
              0x01371a15
              0x01371a1a
              0x01371a1c
              0x01371a1e
              0x01371a21
              0x01371a22
              0x01371a24
              0x01371ab9
              0x01371ab9
              0x01371ac0
              0x01371ac3
              0x01371acf
              0x01371acf
              0x01371acf
              0x01371ad3
              0x01371ad8
              0x01371ad8
              0x01371ade
              0x01371ae1
              0x01371af3
              0x01371af6
              0x01371b24
              0x01371b2e
              0x01371b32
              0x01371b3a
              0x01371b3f
              0x01371b42
              0x01371b44
              0x01371b7d
              0x01371b7d
              0x01371b80
              0x01371b80
              0x01371b86
              0x01371b88
              0x01371b90
              0x01371b90
              0x01371b97
              0x01371b9d
              0x01371b9d
              0x01371b9f
              0x01371ba7
              0x01371ba7
              0x01371bac
              0x01371bb0
              0x01371bbd
              0x01371bbd
              0x01371bc7
              0x01371bcd
              0x01371cc5
              0x01371cc5
              0x01371ccc
              0x01371cd7
              0x01371ce7
              0x01371cec
              0x01371cec
              0x00000000
              0x01371cec
              0x01371cce
              0x01371cd5
              0x00000000
              0x00000000
              0x00000000
              0x01371cd5
              0x01371bd3
              0x01371bda
              0x01371be9
              0x01371bf0
              0x01371bf2
              0x01371bfb
              0x01371c04
              0x01371c0d
              0x01371c16
              0x01371c1f
              0x01371c60
              0x01371c62
              0x01371c67
              0x01371c69
              0x00000000
              0x00000000
              0x01371c24
              0x01371c2a
              0x01371c2d
              0x01371c4f
              0x01371c52
              0x01371c6d
              0x01371c74
              0x01371c83
              0x01371c83
              0x01371c83
              0x01371c85
              0x01371c85
              0x01371c8b
              0x01371c90
              0x01371c99
              0x01371ca2
              0x01371cab
              0x01371cb9
              0x01371cc2
              0x00000000
              0x01371cc2
              0x01371c76
              0x01371c7d
              0x00000000
              0x00000000
              0x01371c7f
              0x00000000
              0x01371c7f
              0x01371c54
              0x01371c57
              0x00000000
              0x00000000
              0x01371c59
              0x01371c5b
              0x00000000
              0x01371c5b
              0x01371c2f
              0x01371c36
              0x01371c45
              0x01371c45
              0x01371c45
              0x01371c47
              0x01371c47
              0x00000000
              0x01371c47
              0x01371c38
              0x01371c3f
              0x00000000
              0x00000000
              0x01371c41
              0x00000000
              0x01371c41
              0x00000000
              0x01371c6b
              0x01371bdc
              0x01371be3
              0x00000000
              0x00000000
              0x00000000
              0x01371bb2
              0x01371bb2
              0x01371bb2
              0x01371cee
              0x01371cef
              0x01371cf4
              0x01371cfe
              0x01371cfe
              0x01371bb0
              0x01371b99
              0x01371b9b
              0x00000000
              0x00000000
              0x00000000
              0x01371b9b
              0x01371b8a
              0x01371b8e
              0x00000000
              0x00000000
              0x00000000
              0x01371b8e
              0x01371b46
              0x01371b48
              0x01371b4b
              0x01371b4d
              0x01371b52
              0x01371b58
              0x01371b5a
              0x00000000
              0x00000000
              0x01371b5c
              0x01371b63
              0x01371b6a
              0x01371b6c
              0x01371b71
              0x01371b73
              0x01371b76
              0x01371b79
              0x01371b7b
              0x00000000
              0x00000000
              0x00000000
              0x01371b7b
              0x01371b65
              0x01371b68
              0x00000000
              0x00000000
              0x00000000
              0x01371b68
              0x01371bb9
              0x00000000
              0x01371bb9
              0x01371afa
              0x01371b04
              0x01371b07
              0x01371b09
              0x00000000
              0x00000000
              0x01371b0f
              0x01371b12
              0x00000000
              0x00000000
              0x01371b18
              0x00000000
              0x01371b18
              0x01371ae9
              0x00000000
              0x01371ae9
              0x01371ac5
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01371a2a
              0x01371a2a
              0x01371a2d
              0x01371a2f
              0x01371a32
              0x00000000
              0x00000000
              0x01371a38
              0x01371a3d
              0x01371a3f
              0x01371a7a
              0x01371a7a
              0x00000000
              0x01371a7a
              0x01371a41
              0x01371a44
              0x01371a4a
              0x01371a4c
              0x01371a84
              0x01371a84
              0x01371a86
              0x01371a90
              0x01371a96
              0x01371a99
              0x01371a9f
              0x01371aa2
              0x01371aa9
              0x01371ab6
              0x00000000
              0x01371ab6
              0x01371aa4
              0x01371aa7
              0x00000000
              0x00000000
              0x00000000
              0x01371aa7
              0x01371a4e
              0x01371a50
              0x00000000
              0x00000000
              0x01371a52
              0x01371a55
              0x00000000
              0x00000000
              0x01371a57
              0x01371a5b
              0x00000000
              0x00000000
              0x01371a60
              0x01371a62
              0x01371a66
              0x00000000
              0x00000000
              0x01371a68
              0x01371a6c
              0x00000000
              0x00000000
              0x01371a6e
              0x01371a72
              0x00000000
              0x00000000
              0x01371a74
              0x01371a78
              0x00000000
              0x00000000
              0x00000000
              0x01371a7d
              0x01371a7d
              0x01371a7e
              0x01371a7e
              0x00000000
              0x01371a82
              0x013719c2
              0x013719c8
              0x013719c9
              0x013719cb
              0x013719d1
              0x013719d7
              0x013719df
              0x013719e4
              0x013719e4
              0x00000000
              0x013719cb
              0x013719a5
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 8a05b625833df7ec6053beff703d3c5dc6a53b56065ae0bcb953af72c0193c8d
              • Instruction ID: 0c70829a15ca162ce05c4d5a4c4624a479bb881537a6bc32e1af46ce863b12a7
              • Opcode Fuzzy Hash: 8a05b625833df7ec6053beff703d3c5dc6a53b56065ae0bcb953af72c0193c8d
              • Instruction Fuzzy Hash: 0FB1F072B00646AFEF39DFBCC484BB9FBE6BF05208F040259D55993281DB78A564CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013781C4, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E013781C4(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E0138D870(E013A12D2, _t95);
				E0138D940();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E0137137D(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E01379C0E(_t6, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E01371973(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0137FAB1(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0137B782(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E01376EF9(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E0137A1B1(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E0137835C(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E01380FBD((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E01371E4F(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E0137391A(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E013783C0(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E01376E03(0x13b00e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E0137162D(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}


















              0x013781c4
              0x013781c4
              0x013781c4
              0x013781c4
              0x013781c9
              0x013781d3
              0x013781d9
              0x013781db
              0x013781e4
              0x013781e9
              0x013781f4
              0x01378201
              0x01378209
              0x0137820f
              0x01378216
              0x01378229
              0x01378230
              0x01378237
              0x0137823a
              0x0137823c
              0x01378242
              0x01378249
              0x01378250
              0x01378257
              0x0137825c
              0x01378277
              0x01378283
              0x0137828a
              0x0137828f
              0x01378295
              0x0137829a
              0x0137829c
              0x013782a3
              0x013782aa
              0x013782af
              0x013782b1
              0x00000000
              0x00000000
              0x01378264
              0x0137826a
              0x01378270
              0x01378270
              0x013782b3
              0x013782b9
              0x013782b9
              0x013782bf
              0x013782c8
              0x013782cd
              0x013782d2
              0x013782d3
              0x013782d4
              0x013782dc
              0x013782df
              0x013782e6
              0x013782e6
              0x013782e1
              0x013782e1
              0x013782e4
              0x00000000
              0x00000000
              0x013782e4
              0x013782ed
              0x013782f0
              0x013782f7
              0x013782f9
              0x01378307
              0x01378307
              0x0137830e
              0x0137830e
              0x01378313
              0x01378319
              0x0137831e
              0x0137831e
              0x01378324
              0x01378329
              0x0137832e
              0x01378337
              0x0137833c
              0x0137833c
              0x0137831e
              0x01378218
              0x0137821f
              0x0137821f
              0x01378216
              0x01378340
              0x01378346
              0x01378351
              0x0137835b

              APIs
              • __EH_prolog.LIBCMT ref: 013781C9
                • Part of subcall function 0137137D: __EH_prolog.LIBCMT ref: 01371382
                • Part of subcall function 0137137D: new.LIBCMT ref: 013713FA
                • Part of subcall function 01371973: __EH_prolog.LIBCMT ref: 01371978
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 929d7538cba642528460ec2cb0a5ccc9242d9274657d61cefaf60cbb6963a891
              • Instruction ID: 82adda8e7fd230cd7f69fcb9587b3d0e18520a2a94a223097694a5690ef66060
              • Opcode Fuzzy Hash: 929d7538cba642528460ec2cb0a5ccc9242d9274657d61cefaf60cbb6963a891
              • Instruction Fuzzy Hash: EA41B7729406599AEB35EB68CC54FEAB7B9AF10308F0404EAD54D93092DB785BC8DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01382A7F, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E01382A7F(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E0138D870(E013A1486, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E0138DB02(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E0138E920(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E0138DB02(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0x13b00e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E01381788);
						_push(E01381611);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E0138D96D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E0138E920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E01392B53(0x13b00e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0x13b00e0 = 0x30c00;
								if(_t39 == 0) {
									E01376D3A(0x13b00e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}




















              0x01382a7f
              0x01382a7f
              0x01382a84
              0x01382a89
              0x01382a8a
              0x01382a8e
              0x01382a90
              0x01382a92
              0x01382a95
              0x01382a9c
              0x01382a9d
              0x01382aa5
              0x01382aa8
              0x01382aad
              0x01382aad
              0x01382ab0
              0x01382ab3
              0x01382abe
              0x01382ac5
              0x01382ac7
              0x01382aca
              0x01382adf
              0x01382ae0
              0x01382ae5
              0x01382ae6
              0x01382ae9
              0x01382aec
              0x01382aee
              0x01382af0
              0x01382af5
              0x01382afa
              0x01382afb
              0x01382afb
              0x01382afe
              0x01382b00
              0x01382b05
              0x01382b06
              0x01382b06
              0x01382b0b
              0x01382b15
              0x01382b1c
              0x01382b26
              0x01382b28
              0x01382b2a
              0x01382b2d
              0x01382b30
              0x01382b39
              0x01382b40
              0x01382b4a
              0x01382b4f
              0x01382b55
              0x01382b58
              0x01382b5f
              0x01382b5f
              0x01382b64
              0x01382b64
              0x01382b67
              0x01382b6c
              0x01382b6f
              0x01382b6f
              0x01382b2d
              0x01382b26
              0x01382b7a
              0x01382b84

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 537eb93eda9938066a0da986e64b735be8000c7561d916f800946db5abe1d45b
              • Instruction ID: 3381d958a1f7e638f9a094d83bb28ee7008214c4548078843af34021d279a232
              • Opcode Fuzzy Hash: 537eb93eda9938066a0da986e64b735be8000c7561d916f800946db5abe1d45b
              • Instruction Fuzzy Hash: 312126B1E41316AFDB15EFBCDC41A6B76B8FF0521CF00023AE519EB681D7749900C6A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389EEF, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E01389EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				void* _t50;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E0138D870(E013A14E1, _t62);
				_push(_t47);
				E0138D940();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E0137137D(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E01371E9E(_t62 - 0x7d24, _t57, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_t50 = _t62 - 0x7d24;
					_t33 = E0137192E(_t57, _t62 - 0x24);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E01392B53(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0138EA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E013715E3(_t62 - 0x24);
					E0137162D(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E0137162D(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}
















              0x01389eef
              0x01389eef
              0x01389eef
              0x01389ef4
              0x01389ef9
              0x01389eff
              0x01389f05
              0x01389f06
              0x01389f09
              0x01389f13
              0x01389f16
              0x01389f24
              0x01389f28
              0x01389f33
              0x01389f44
              0x01389f47
              0x01389f4a
              0x01389f4d
              0x01389f50
              0x01389f56
              0x01389f5b
              0x01389f61
              0x01389f66
              0x01389f68
              0x01389f6a
              0x01389f6d
              0x01389f73
              0x01389f7a
              0x01389f7f
              0x01389f81
              0x01389f83
              0x01389f89
              0x01389f8c
              0x01389f94
              0x01389f85
              0x01389f85
              0x01389f85
              0x01389f9f
              0x01389f9f
              0x01389fa4
              0x01389faf
              0x01389fb4
              0x01389f35
              0x01389f3b
              0x01389f40
              0x01389f40
              0x01389fbb
              0x01389fc6

              APIs
              • __EH_prolog.LIBCMT ref: 01389EF4
                • Part of subcall function 0137137D: __EH_prolog.LIBCMT ref: 01371382
                • Part of subcall function 0137137D: new.LIBCMT ref: 013713FA
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: ba7a114a1d44cf5a55cab284545b353a0a31874a2d75f8dc538170fc435dc731
              • Instruction ID: 072a5424eccefd0ec221269498f398406a46d230428575c140a9d3e98c4a1d66
              • Opcode Fuzzy Hash: ba7a114a1d44cf5a55cab284545b353a0a31874a2d75f8dc538170fc435dc731
              • Instruction Fuzzy Hash: 77212476D0425A9ACF25EF99D9409FDB7F4AF59218F0004DAE80977241D7396E05CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137910B, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E0137910B(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E0138D870(E013A1321, _t42);
				E01376ED7(_t42 - 0x20, E01377C3C());
				_push( *((intOrPtr*)(_t42 - 0x1c)));
				_push( *((intOrPtr*)(_t42 - 0x20)));
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E0137C70F();
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E0137C8C7( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t42 - 0x1c)));
						_push( *((intOrPtr*)(_t42 - 0x20)));
						_t40 = E0137C70F();
					} while (_t40 > 0);
				}
				_t21 = E0137159C(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}











              0x0137910b
              0x01379110
              0x01379122
              0x01379127
              0x0137912d
              0x01379130
              0x01379139
              0x0137913d
              0x01379140
              0x01379144
              0x01379147
              0x01379147
              0x01379149
              0x0137914a
              0x0137914c
              0x01379154
              0x01379154
              0x01379158
              0x01379161
              0x01379168
              0x01379169
              0x0137916b
              0x0137916b
              0x0137916d
              0x01379173
              0x0137917b
              0x0137917d
              0x01379182
              0x01379186
              0x0137918f
              0x01379199

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: d417386ac3b55c683e6b19d89dd34ee4d5d02f4be56c18b3cdfbe4a461cfafcb
              • Instruction ID: 2fb3829acd04b81e8fed17c947195aa6deb128ac3f79ba804b394210466256ca
              • Opcode Fuzzy Hash: d417386ac3b55c683e6b19d89dd34ee4d5d02f4be56c18b3cdfbe4a461cfafcb
              • Instruction Fuzzy Hash: B611A977D1052A9BCF35AB9CDC44ADEBB35EF58668F054219E81467350CB38C91487E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C6FF, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E0138C6FF(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E0138D870(E013A1520, _t43);
				_push(_t26);
				E0138D940();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E01394D7E(0x13c39fa, "X");
				E0137FB08(0x13c5a1c, _t37, 0x13a22e0);
				E01394D7E(0x13c4a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E01375A9F(0x13bb708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0x13c29d8 = _t18;
				 *0x13c29d4 = _t18;
				 *0x13c29d0 = _t18;
				_t19 =  *0x13b75d4; // 0x0
				 *0x13c185b = _t19;
				_t20 =  *0x13b75d5; // 0x1
				 *0x13c1894 = 1;
				 *0x13c1897 = 1;
				 *0x13c185c = _t20;
				E01377ADF(_t43 - 0x2108, _t37,  *_t4, 0x13bb708);
				 *(_t43 - 4) = 1;
				E01377C55(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E01377B71(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}













              0x0138c6ff
              0x0138c704
              0x0138c709
              0x0138c70f
              0x0138c714
              0x0138c717
              0x0138c724
              0x0138c735
              0x0138c742
              0x0138c753
              0x0138c758
              0x0138c758
              0x0138c764
              0x0138c765
              0x0138c76a
              0x0138c76f
              0x0138c774
              0x0138c779
              0x0138c77e
              0x0138c784
              0x0138c78b
              0x0138c792
              0x0138c797
              0x0138c7a2
              0x0138c7a6
              0x0138c7b1
              0x0138c7bb
              0x0138c7c6

              APIs
              • __EH_prolog.LIBCMT ref: 0138C704
                • Part of subcall function 01377ADF: __EH_prolog.LIBCMT ref: 01377AE4
                • Part of subcall function 01377ADF: new.LIBCMT ref: 01377B28
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 8fb141db5ae731d246029494cf051b41d6c9210ce08f06b2bbd900f066228e07
              • Instruction ID: d576161df787a74d37d3b073e3fc22d7610f6b2f7722120d0b538bcae51daa4e
              • Opcode Fuzzy Hash: 8fb141db5ae731d246029494cf051b41d6c9210ce08f06b2bbd900f066228e07
              • Instruction Fuzzy Hash: 58113A35508384EED724EBACE945BED7FA8EB34318F00009FD40462386DBB12A84DB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139B0DB, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E0139B0DB(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E01397B1B(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E01399C02(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E01397A50(0);
				return _t32;
			}













              0x0139b0e0
              0x0139b0e1
              0x0139b0e8
              0x0139b0ed
              0x0139b0f1
              0x0139b0f5
              0x0139b0f8
              0x0139b0fe
              0x0139b0fe
              0x0139b104
              0x0139b106
              0x0139b109
              0x0139b109
              0x0139b10c
              0x0139b10e
              0x0139b114
              0x0139b118
              0x0139b11d
              0x0139b121
              0x0139b123
              0x0139b126
              0x0139b12c
              0x0139b133
              0x0139b137
              0x0139b13b
              0x0139b13e
              0x0139b13e
              0x0139b142
              0x0139b145
              0x0139b0fa
              0x0139b0fa
              0x0139b0fa
              0x0139b147
              0x0139b154

              APIs
                • Part of subcall function 01397B1B: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01398544,00000001,00000364,?,01392E0F,?,?,013B00E0), ref: 01397B5C
              • _free.LIBCMT ref: 0139B147
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 716850c2e0a7a2cb9eae644337a9ab78ac2f4097770ce849c3152d41cd1ba7f1
              • Instruction ID: 0944300903163701f95a6528e5223d0d08b2aade20da855ef127723b9775d357
              • Opcode Fuzzy Hash: 716850c2e0a7a2cb9eae644337a9ab78ac2f4097770ce849c3152d41cd1ba7f1
              • Instruction Fuzzy Hash: 280126722003456BEB318E699881D5AFBE9EB85374F25061DE195832C0EA30A805CB24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01397B1B, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E01397B1B(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x13d0874, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01397906();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E01397ECC())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E01396763(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}











              0x01397b1b
              0x01397b21
              0x01397b26
              0x01397b34
              0x01397b34
              0x01397b3a
              0x01397b3c
              0x01397b3c
              0x01397b53
              0x01397b5c
              0x01397b64
              0x00000000
              0x00000000
              0x01397b44
              0x01397b46
              0x01397b68
              0x01397b6d
              0x01397b73
              0x00000000
              0x01397b73
              0x01397b49
              0x01397b4e
              0x01397b4f
              0x01397b51
              0x00000000
              0x00000000
              0x01397b51
              0x00000000
              0x01397b53
              0x01397b2c
              0x01397b2d
              0x01397b32
              0x00000000
              0x00000000
              0x00000000

              APIs
              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01398544,00000001,00000364,?,01392E0F,?,?,013B00E0), ref: 01397B5C
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 45a87f4e8efb2339eb59c4b4af6e07cde8086ad72fea5fa1525d57f7b8a80954
              • Instruction ID: d80a1922b8886e537918f05b42d0e82d601d6623d5c4f38f0bed235ad22afcfd
              • Opcode Fuzzy Hash: 45a87f4e8efb2339eb59c4b4af6e07cde8086ad72fea5fa1525d57f7b8a80954
              • Instruction Fuzzy Hash: 66F089316662296AEF326A299C05F5B3B4D9F5167CF088111AF14DB6C4CB70D800CEE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01375A1D, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E01375A1D(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E0138D870(E013A1216, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E0137AD1B(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0137FAE6();
				 *(_t36 - 4) = 1;
				E0137FAE6();
				 *(_t36 - 4) = 2;
				E0137FAE6();
				 *(_t36 - 4) = 3;
				E0137FAE6();
				 *(_t36 - 4) = 4;
				E0137FAE6();
				 *(_t36 - 4) = 5;
				E01375C12(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}






              0x01375a1d
              0x01375a22
              0x01375a27
              0x01375a29
              0x01375a2b
              0x01375a2e
              0x01375a33
              0x01375a33
              0x01375a3d
              0x01375a48
              0x01375a4c
              0x01375a57
              0x01375a5b
              0x01375a66
              0x01375a6a
              0x01375a75
              0x01375a79
              0x01375a80
              0x01375a84
              0x01375a8f
              0x01375a99

              APIs
              • __EH_prolog.LIBCMT ref: 01375A22
                • Part of subcall function 0137AD1B: __EH_prolog.LIBCMT ref: 0137AD20
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 824c98bcd2a57c51fb6559b508515c5211389a3f0c81b8196553b8a47ae3508f
              • Instruction ID: fb0dc817918745215eba26ae3218df6cf2c6cf4f12aa2b470d78616d173e8b1c
              • Opcode Fuzzy Hash: 824c98bcd2a57c51fb6559b508515c5211389a3f0c81b8196553b8a47ae3508f
              • Instruction Fuzzy Hash: C201D170919246CAE725F7ACC1043EEB7A8AF2530CF00058CD45953380CBBC2B04CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01397A8A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E01397A8A(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E01397ECC())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x13d0874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01397906();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E01396763(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}









              0x01397a8a
              0x01397a90
              0x01397a96
              0x01397ac8
              0x01397acd
              0x01397ad3
              0x00000000
              0x01397ad3
              0x01397a9a
              0x01397a9c
              0x01397a9c
              0x01397ab3
              0x01397abc
              0x01397ac4
              0x00000000
              0x00000000
              0x01397aa4
              0x01397aa6
              0x00000000
              0x00000000
              0x01397aa9
              0x01397aae
              0x01397aaf
              0x01397ab1
              0x00000000
              0x00000000
              0x01397ab1
              0x00000000

              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,?,?,01392FA6,?,0000015D,?,?,?,?,01394482,000000FF,00000000,?,?), ref: 01397ABC
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: b52ca07bc60a90841d796cb4c15c9b2a1003857311f7abb0574d30f4930a7799
              • Instruction ID: 382a5d704f53f079303a8f2cc720a012c8e34825ca829c7b14e264962c5b4852
              • Opcode Fuzzy Hash: b52ca07bc60a90841d796cb4c15c9b2a1003857311f7abb0574d30f4930a7799
              • Instruction Fuzzy Hash: ACE06D316712276AFF3226AD9D04B5A3E8DEB516B9F0D0121ED14962C4DB28CE008BE6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013794DA, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E013794DA(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E01376C7B(0x13b00e0, _t21 + 0x1e);
				}
				return _t16;
			}





              0x013794dc
              0x013794de
              0x013794e4
              0x013794ea
              0x013794fb
              0x01379500
              0x01379502
              0x01379502
              0x01379504
              0x01379504
              0x01379508
              0x0137950e
              0x0137951e
              0x0137951e
              0x01379527

              APIs
              • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,013794AA), ref: 013794F5
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 0893649cb94965800db906a4eb417daedd199c5cff1c363d0e85a520e9f790eb
              • Instruction ID: f0d0a3941a58ca9ba7ea5e0caa26d77e1175164dcaac105ace9658828831ccc1
              • Opcode Fuzzy Hash: 0893649cb94965800db906a4eb417daedd199c5cff1c363d0e85a520e9f790eb
              • Instruction Fuzzy Hash: 85F082B0482B298EEB318A3CC549792B7E89B0263DF048B1ED1E7478D0D379A44DCB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137A1B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0137A1B1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E0137B5E5(_a4) == 0) {
					_t12 = E0137A2DF(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E01379ECD( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E01379EE5( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}





              0x0137a1b2
              0x0137a1ba
              0x0137a1c8
              0x0137a1d5
              0x0137a1dd
              0x00000000
              0x00000000
              0x0137a1e0
              0x0137a1ec
              0x0137a1fe
              0x0137a209
              0x00000000
              0x0137a20f
              0x0137a1ca
              0x00000000

              APIs
              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0137A1E0
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseFind
              • String ID:
              • API String ID: 1863332320-0
              • Opcode ID: 41bcdd83599f5b0c7726cc34212c920deda89423c06cd7aa027373e3f6743366
              • Instruction ID: 70ad585ae9ef0d916dd3850646550b04c5dae005624983f146a51dd75b99893f
              • Opcode Fuzzy Hash: 41bcdd83599f5b0c7726cc34212c920deda89423c06cd7aa027373e3f6743366
              • Instruction Fuzzy Hash: DFF08231008790AEDA325BB89804BCBBFD56F26379F088E4DE1FD13195C67E5095D721
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013802E8, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E013802E8() {
				void* __esi;
				void* _t2;

				E01380FAF(); // executed
				_t2 = E01380FB4();
				if(_t2 != 0) {
					_t2 = E01376CC9(_t2, 0x13b00e0, 0xff, 0xff);
				}
				if( *0x13b00eb != 0) {
					_t2 = E01376CC9(_t2, 0x13b00e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}





              0x013802ea
              0x013802ef
              0x01380300
              0x01380305
              0x01380305
              0x01380311
              0x01380316
              0x01380316
              0x0138031d
              0x01380325

              APIs
              • SetThreadExecutionState.KERNEL32 ref: 0138031D
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExecutionStateThread
              • String ID:
              • API String ID: 2211380416-0
              • Opcode ID: b94567ad3a0788bdb95beb3dbfc90fcfc95854127b8c2349ec5dc892ae38a163
              • Instruction ID: e1848243b5a80db481676175129a38e7f0fc5d7742579d915117aaf5314e5834
              • Opcode Fuzzy Hash: b94567ad3a0788bdb95beb3dbfc90fcfc95854127b8c2349ec5dc892ae38a163
              • Instruction Fuzzy Hash: C6D0C221A0025212FB39732C65647FF3A5A8F91A1CF080059B205262C59A89088E83A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013895CF, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E013895CF(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0138D7F6();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E0138938E(__eax, _a4, _a8); // executed
				return _t6;
			}





              0x013895d2
              0x013895d3
              0x013895d5
              0x013895da
              0x013895df
              0x00000000
              0x013895f0
              0x013895e9
              0x00000000

              APIs
              • GdipAlloc.GDIPLUS(00000010), ref: 013895D5
                • Part of subcall function 0138938E: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 013893AF
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Gdip$AllocBitmapCreateFromStream
              • String ID:
              • API String ID: 1915507550-0
              • Opcode ID: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
              • Instruction ID: f79fbf04e2517a8b2a5a6bad94db035fd6165589c6e5b24e49e0b6f2c2a392d7
              • Opcode Fuzzy Hash: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
              • Instruction Fuzzy Hash: 1ED05E3020430EABDB50BB789C01B7A7A98DB90218F004065AC0585580F971D91093A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379745, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01379745(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}




              0x01379749
              0x01379751
              0x0137975a
              0x01379767
              0x01379761
              0x01379763
              0x01379763
              0x0137974b
              0x0137974d
              0x0137974d

              APIs
              • GetFileType.KERNELBASE(000000FF,01379683), ref: 01379751
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 455cd655cd8fabff3bb193ca5faba1ed27071a3423459abeebd9445198818b35
              • Instruction ID: b5dda35c72001bcaa94e69edf8abd4a85a795c530e09d9cb31e028fa1a0e3893
              • Opcode Fuzzy Hash: 455cd655cd8fabff3bb193ca5faba1ed27071a3423459abeebd9445198818b35
              • Instruction Fuzzy Hash: 88D0123001128095CF315E3C4E0A256AA56AF4337EB38C7A4D165C40B6C726C403F700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C9FE, Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138C9FE(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0x13b75c8, 0x6a, 0x402, E0137F749(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E0138A388(); // executed
				return _t7;
			}




              0x0138ca23
              0x0138ca29
              0x0138ca2e

              APIs
              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0138CA23
                • Part of subcall function 0138A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0138A399
                • Part of subcall function 0138A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0138A3AA
                • Part of subcall function 0138A388: IsDialogMessageW.USER32(00160024,?), ref: 0138A3BE
                • Part of subcall function 0138A388: TranslateMessage.USER32(?), ref: 0138A3CC
                • Part of subcall function 0138A388: DispatchMessageW.USER32(?), ref: 0138A3D6
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$DialogDispatchItemPeekSendTranslate
              • String ID:
              • API String ID: 897784432-0
              • Opcode ID: cff9d2daf8178b99340ad21026a4ad659b309669fb511819453df82c85096713
              • Instruction ID: d7d5d9ac72e5352100435eb62ede527cf8a85a0acc479b8893fd38c6653e9cd0
              • Opcode Fuzzy Hash: cff9d2daf8178b99340ad21026a4ad659b309669fb511819453df82c85096713
              • Instruction Fuzzy Hash: 22D09E35144300BAD7112B61CE06F1A7ABABB9CB48F404555B344740E086A29D209B11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1BF, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D1BF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab6c, 0x13adf10); // executed
				goto __eax;
			}








              0x0138d1ae
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 4a005fce0907a716c6d4c25899897b9a38047b1daf8e64b0259f1097c4e5b49b
              • Instruction ID: 65c03dd4d8d181d72e5145df96d9aa62eca18a7cac84ed8c78676cf76913fb5e
              • Opcode Fuzzy Hash: 4a005fce0907a716c6d4c25899897b9a38047b1daf8e64b0259f1097c4e5b49b
              • Instruction Fuzzy Hash: F2B01286398201ECF04973CA6C01C3B330CE4C191C3B0880FF004C19C8D4504C080031
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1A4, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D1A4() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab6c, 0x13adf08); // executed
				goto __eax;
			}








              0x0138d1ae
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 698483166feb324d536d5e04872873a98d0157a1f6740c390ab64fa7a96d98c3
              • Instruction ID: 642d3d784e99ec895724c94f8be41e5e84535b19e8ec407743c5a2e37a7ba614
              • Opcode Fuzzy Hash: 698483166feb324d536d5e04872873a98d0157a1f6740c390ab64fa7a96d98c3
              • Instruction Fuzzy Hash: 08B09286298205ACB0093286AD0183A220DD5C1A1C3A0850AF00081880A45048480031
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1DD, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D1DD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab6c, 0x13adf04); // executed
				goto __eax;
			}








              0x0138d1ae
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ce04dd26f2498e79b4b19726c7b975fc7b700966812296255066276c5a25583f
              • Instruction ID: 4240da988f5423fb23889a24e411e805ccacc95c81bb1787b63d3507c5bccf04
              • Opcode Fuzzy Hash: ce04dd26f2498e79b4b19726c7b975fc7b700966812296255066276c5a25583f
              • Instruction Fuzzy Hash: 61B01286358201ECF04973CA7D01C3B320CD4C191C3B0840FF004C2980E4514C090031
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1C9, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D1C9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab6c, 0x13adf0c); // executed
				goto __eax;
			}








              0x0138d1ae
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 2c046d3613ab701ed3d8b2d874761d8ea0028396ae8e8a11a1fd541fddad1cbb
              • Instruction ID: 9f783cf893dd76e928ccc1b4a68bbf0edca3f2206e78f9cb3c90a532753f2410
              • Opcode Fuzzy Hash: 2c046d3613ab701ed3d8b2d874761d8ea0028396ae8e8a11a1fd541fddad1cbb
              • Instruction Fuzzy Hash: ACB01286358201ECF04973CA7C01C3B331CD4C191C3B0C40FF404C2980E5504C080031
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D23E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D23E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab8c, 0x13adff0); // executed
				goto __eax;
			}








              0x0138d20f
              0x0138d217
              0x0138d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D217
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 7a2716b5d3b00c36b5e6c75cf58d2324f1423a0caba398d3ad014f307f871613
              • Instruction ID: 27d78a91424ebf82dcc0e44c42ce4502aa5a96fdf99ec1a1accfa60285d4f2d3
              • Opcode Fuzzy Hash: 7a2716b5d3b00c36b5e6c75cf58d2324f1423a0caba398d3ad014f307f871613
              • Instruction Fuzzy Hash: 2FB012CB298201ECF00973CE7C01E37230CF0D993C360841FF004C6984D8408C080131
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D234, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D234() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab8c, 0x13adffc); // executed
				goto __eax;
			}








              0x0138d20f
              0x0138d217
              0x0138d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D217
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e05c62e82078ac8fe37111e1e43713dbcc1fd8ee9b9ee37ca48c7a6a4d4ac4ff
              • Instruction ID: f0cece16908a7e079a5f4d18d795f9e930c9382e5b32b8b80b53692a995bb24f
              • Opcode Fuzzy Hash: e05c62e82078ac8fe37111e1e43713dbcc1fd8ee9b9ee37ca48c7a6a4d4ac4ff
              • Instruction Fuzzy Hash: 57B012CB298211ECF00973CE7C01D37230CE0D993C360C41FF404C6D80D9408C080131
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D205, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D205() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aab8c, 0x13adff8); // executed
				goto __eax;
			}








              0x0138d20f
              0x0138d217
              0x0138d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D217
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 047395b9aa5ef2e830feb557fb8ddeba84bf9e48f7c94be6382d8b2fd9d18f84
              • Instruction ID: d9b240cc81ed17bda826b576733eb9b7e74cd25f810a8ea553f8a46444de424e
              • Opcode Fuzzy Hash: 047395b9aa5ef2e830feb557fb8ddeba84bf9e48f7c94be6382d8b2fd9d18f84
              • Instruction Fuzzy Hash: BBB092CA298201ACE00922CA6C01C36220CE1D592C360851AF0108588498408C480031
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D7DA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0138D7DA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0138D53A(_t3, _t4, _t8, _t9, _t10, 0x13aabcc, 0x13adeb4); // executed
				goto __eax;
			}








              0x0138d7e4
              0x0138d7ec
              0x0138d7f3

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D7EC
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d47e0a90e981b380035fd77c3e1c8851795e08ecfa51e9c8ee8c4311e4b6e213
              • Instruction ID: eb21f582fde2cbef6daeb3aff071078260b97a9d013631d3b8a20704318de08c
              • Opcode Fuzzy Hash: d47e0a90e981b380035fd77c3e1c8851795e08ecfa51e9c8ee8c4311e4b6e213
              • Instruction Fuzzy Hash: C8B01286259202FDF10977C66E05C36220CD0E1D1C360C40FF004C0880D4419C050031
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1F6, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E0138D1F6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x13aab6c); // executed
				E0138D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x0138d1b1
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 7557edb3e2d7c136854614d0f9ff62f402a5bfdbe7a404e9819649d292f57f84
              • Instruction ID: f7b5cbd959ac8f950ffde15f01041e60c306057d938c8caf5baedd02da0f7e96
              • Opcode Fuzzy Hash: 7557edb3e2d7c136854614d0f9ff62f402a5bfdbe7a404e9819649d292f57f84
              • Instruction Fuzzy Hash: 37A011822A8202FCB00A3382AC02C3A320CC8C2A2C3B0880EE00280880A88008000030
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1EC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E0138D1EC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x13aab6c); // executed
				E0138D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x0138d1b1
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 82f5ae47c56a5728f6370d7e3e1ee7bd47c0f8002088766215565a064bd00ff5
              • Instruction ID: f7b5cbd959ac8f950ffde15f01041e60c306057d938c8caf5baedd02da0f7e96
              • Opcode Fuzzy Hash: 82f5ae47c56a5728f6370d7e3e1ee7bd47c0f8002088766215565a064bd00ff5
              • Instruction Fuzzy Hash: 37A011822A8202FCB00A3382AC02C3A320CC8C2A2C3B0880EE00280880A88008000030
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D1D8, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E0138D1D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x13aab6c); // executed
				E0138D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x0138d1b1
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 42e8e3c4124ad0f664b0e23307e6e3bbba7354c436844b2db7f347a06c3c546b
              • Instruction ID: f7b5cbd959ac8f950ffde15f01041e60c306057d938c8caf5baedd02da0f7e96
              • Opcode Fuzzy Hash: 42e8e3c4124ad0f664b0e23307e6e3bbba7354c436844b2db7f347a06c3c546b
              • Instruction Fuzzy Hash: 37A011822A8202FCB00A3382AC02C3A320CC8C2A2C3B0880EE00280880A88008000030
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D22F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E0138D22F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x13aab8c); // executed
				E0138D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x0138d212
              0x0138d217
              0x0138d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D217
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9c021cea543c62777e6673ca2b360e228a1b96c73b0b2086b40ea76b15884221
              • Instruction ID: 72a8854e33ba0ac4d80b730cc6a4dd70cec11bd3cfb0e1f7be80194c3d2cc7ad
              • Opcode Fuzzy Hash: 9c021cea543c62777e6673ca2b360e228a1b96c73b0b2086b40ea76b15884221
              • Instruction Fuzzy Hash: D9A011CB2A8202FCF00A33CABC02C3A230CC0EAA3C320882EE00282880A8808C000030
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D225, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E0138D225() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x13aab8c); // executed
				E0138D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x0138d212
              0x0138d217
              0x0138d21e

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D217
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a42c0b4fb6ef64ca79fc30cd7fba2afe78d04f9cdb97487e823cce5959ade744
              • Instruction ID: 72a8854e33ba0ac4d80b730cc6a4dd70cec11bd3cfb0e1f7be80194c3d2cc7ad
              • Opcode Fuzzy Hash: a42c0b4fb6ef64ca79fc30cd7fba2afe78d04f9cdb97487e823cce5959ade744
              • Instruction Fuzzy Hash: D9A011CB2A8202FCF00A33CABC02C3A230CC0EAA3C320882EE00282880A8808C000030
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D200, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 22%
              			E0138D200() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x13aab6c); // executed
				E0138D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








              0x0138d1b1
              0x0138d1b6
              0x0138d1bd

              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0138D1B6
                • Part of subcall function 0138D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0138D5B7
                • Part of subcall function 0138D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0138D5C8
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: eabc6185bd538540bbbcb2f4d8c518a807bd34d6707765b30a86f812339fdfcd
              • Instruction ID: f7b5cbd959ac8f950ffde15f01041e60c306057d938c8caf5baedd02da0f7e96
              • Opcode Fuzzy Hash: eabc6185bd538540bbbcb2f4d8c518a807bd34d6707765b30a86f812339fdfcd
              • Instruction Fuzzy Hash: 37A011822A8202FCB00A3382AC02C3A320CC8C2A2C3B0880EE00280880A88008000030
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379BD6, Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E01379BD6(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}




              0x01379bd9
              0x01379be2
              0x01379be5

              APIs
              • SetEndOfFile.KERNELBASE(?,01378F33,?,?,-00001960), ref: 01379BD9
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File
              • String ID:
              • API String ID: 749574446-0
              • Opcode ID: 811de8fa0659f9528b50b65dbdea9f89d3d86499a806ceb03df52c82ae967cdc
              • Instruction ID: c828fcd17c3182947b78d2d4ff5e5c3fe19ff5461051353a6cfad0b06dfad7a4
              • Opcode Fuzzy Hash: 811de8fa0659f9528b50b65dbdea9f89d3d86499a806ceb03df52c82ae967cdc
              • Instruction Fuzzy Hash: EAB011B00E000A8ACE202A30C8088283B2AEA2230AB0082A0A002CA0A8CB22C003AB00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389A8D, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E01389A8D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}




              0x01389a91
              0x01389a99
              0x01389a9d

              APIs
              • SetCurrentDirectoryW.KERNELBASE(?,01389CE4,C:\Users\user\Desktop,00000000,013B85FA,00000006), ref: 01389A91
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CurrentDirectory
              • String ID:
              • API String ID: 1611563598-0
              • Opcode ID: 23b4956b16d4a3e800d8c784a5ba6ec04677899040ca0216467f8315a1cdc60e
              • Instruction ID: 373f2a443e0e5628d25891c05789cbb623ee4de25a6483fe1e2a71686ab135de
              • Opcode Fuzzy Hash: 23b4956b16d4a3e800d8c784a5ba6ec04677899040ca0216467f8315a1cdc60e
              • Instruction Fuzzy Hash: A2A0123419400646CA100B30C809C1676559760702F008620B102C0094CB308810A600
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0138AFB9, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E0138AFB9(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t151;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				_t151 = __ecx;
				E0138D940();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E013712D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E0137FAB1( &_a2640, _a6752, 0x800);
						E0137BA19( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0x13adf00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E01373E41( &_a900, 0x200, L"%s %s %s", E0137DA42(_t151, 0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E01389D99();
								_push(E0137DA42(0 + _a344, 0x98));
								E01373E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x13b75f4; // 0x0
							E0138082F(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E01373E41( &_a896, 0x200, L"%s %s %s", E0137DA42(_t152, 0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0x13cce14;
							_t157 =  *0x13cce10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E01389D99(_t157, _t153,  &_a212, 0x32);
								_push(E0137DA42(_t153, 0x98));
								E01373E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x13adf4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}




























              0x0138afb9
              0x0138afb9
              0x0138afbe
              0x0138afc4
              0x0138afcd
              0x0138afd7
              0x0138aff6
              0x0138b000
              0x0138b006
              0x0138b080
              0x0138b09b
              0x0138b0aa
              0x0138b0c0
              0x0138b0dd
              0x0138b0f3
              0x0138b10f
              0x0138b114
              0x0138b127
              0x0138b137
              0x0138b13d
              0x0138b143
              0x0138b144
              0x0138b14a
              0x0138b14d
              0x0138b154
              0x0138b172
              0x0138b17c
              0x0138b184
              0x0138b1a2
              0x0138b1a7
              0x0138b1b5
              0x0138b1b8
              0x0138b1c6
              0x0138b1c8
              0x0138b1da
              0x0138b1e2
              0x0138b1e4
              0x0138b1e5
              0x0138b1e7
              0x0138b1e8
              0x0138b1e9
              0x0138b1f8
              0x0138b213
              0x0138b218
              0x0138b226
              0x0138b226
              0x0138b23c
              0x0138b242
              0x0138b24d
              0x0138b25c
              0x0138b26c
              0x0138b286
              0x0138b29e
              0x0138b2a8
              0x0138b2b0
              0x0138b2cf
              0x0138b2d4
              0x0138b2e2
              0x0138b2ec
              0x0138b2f2
              0x0138b2f8
              0x0138b30c
              0x0138b31b
              0x0138b332
              0x0138b337
              0x0138b345
              0x0138b345
              0x0138b2f8
              0x0138b347
              0x0138b347
              0x0138b349
              0x0138b353
              0x0138b353
              0x0138b00b
              0x00000000
              0x00000000
              0x0138b016
              0x0138b017
              0x0138b019
              0x0138b03d
              0x0138b03d
              0x0138b03f
              0x0138b03f
              0x0138b040
              0x0138b04a
              0x0138b052
              0x0138b055
              0x0138b055
              0x0138b05d
              0x00000000
              0x0138b05d
              0x0138b01b
              0x0138b01e
              0x0138b072
              0x00000000
              0x0138b072
              0x0138b020
              0x0138b023
              0x0138b06f
              0x00000000
              0x0138b06f
              0x0138b025
              0x0138b028
              0x0138b069
              0x00000000
              0x0138b069
              0x0138b02a
              0x0138b02d
              0x00000000
              0x00000000
              0x0138b02f
              0x0138b032
              0x0138b065
              0x00000000
              0x0138b065
              0x0138b037
              0x00000000
              0x00000000
              0x00000000
              0x0138b037
              0x0138aff8
              0x0138affa
              0x00000000

              APIs
                • Part of subcall function 013712D7: GetDlgItem.USER32(00000000,00003021), ref: 0137131B
                • Part of subcall function 013712D7: SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0138B04A
              • EndDialog.USER32(?,00000006), ref: 0138B05D
              • GetDlgItem.USER32(?,0000006C), ref: 0138B079
              • SetFocus.USER32(00000000), ref: 0138B080
              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0138B0C0
              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0138B0F3
              • FindFirstFileW.KERNEL32(?,?), ref: 0138B109
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0138B127
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0138B137
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0138B154
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0138B172
              • _swprintf.LIBCMT ref: 0138B1A2
                • Part of subcall function 01373E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01373E54
              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0138B1B5
              • FindClose.KERNEL32(00000000), ref: 0138B1B8
              • _swprintf.LIBCMT ref: 0138B213
              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0138B226
              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0138B23C
              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0138B25C
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0138B26C
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0138B286
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0138B29E
              • _swprintf.LIBCMT ref: 0138B2CF
              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0138B2E2
              • _swprintf.LIBCMT ref: 0138B332
              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0138B345
                • Part of subcall function 01389D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 01389DBF
                • Part of subcall function 01389D99: GetNumberFormatW.KERNEL32 ref: 01389E0E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
              • API String ID: 797121971-1840816070
              • Opcode ID: eab2404054f12c46ef6dca5412c641da5c8d95dac4adf934face7be40c11538a
              • Instruction ID: c531d2837b023e6108a42d3751bf01cd2ef858d9843f22a4dee8e75a53d10dd5
              • Opcode Fuzzy Hash: eab2404054f12c46ef6dca5412c641da5c8d95dac4adf934face7be40c11538a
              • Instruction Fuzzy Hash: D29197B2148349BBE631EBA4CC49FFBB7ACEB89708F400819F749D6484D775E6058762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01376FC6, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E01376FC6(void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t202;
				void* _t203;
				void* _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				void* _t228;
				WCHAR* _t229;
				intOrPtr _t233;
				short _t237;
				void* _t238;
				intOrPtr _t239;
				short _t241;
				void* _t242;
				void* _t244;
				void* _t245;

				_t223 = __edx;
				E0138D870(E013A126D, _t242);
				E0138D940();
				 *((intOrPtr*)(_t242 - 0x18)) = 1;
				if( *0x13b0043 == 0) {
					E01377A15(L"SeRestorePrivilege");
					E01377A15(L"SeCreateSymbolicLinkPrivilege");
					 *0x13b0043 = 1;
				}
				_t199 = _t242 - 0x2c;
				E01376ED7(_t242 - 0x2c, 0x1418);
				_t197 =  *(_t242 + 0x10);
				 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
				E0137FAB1(_t242 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t242 - 0x10)) = E01392B33(_t242 - 0x107c);
				_t232 = _t242 - 0x107c;
				_t228 = _t242 - 0x207c;
				_t111 = E01394DA0(_t242 - 0x107c, L"\\??\\", 4);
				_t245 = _t244 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t242 - 0x14) = _t113;
				if(_t113 != 0) {
					_t232 = _t242 - 0x1074;
					_t190 = E01394DA0(_t242 - 0x1074, L"UNC\\", 4);
					_t245 = _t245 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t242 - 0x207c)) = _t191;
						_t228 = _t242 - 0x207a;
						_t232 = _t242 - 0x106e;
					}
				}
				E01394D7E(_t228, _t232);
				_t116 = E01392B33(_t242 - 0x207c);
				_t233 =  *((intOrPtr*)(_t242 + 8));
				_t229 =  *(_t242 + 0xc);
				 *(_t242 + 0x10) = _t116;
				if( *((char*)(_t233 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t229);
					E01379D3A(_t199, _t242);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t229, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t229, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t242 - 0x18)) = 0;
							L28:
							E0137159C(_t242 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t242 - 0xc));
							return  *((intOrPtr*)(_t242 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t202 =  *(_t242 - 0x2c);
								_t224 =  *((intOrPtr*)(_t242 - 0x10));
								 *_t202 = 0xa000000c;
								_t237 = _t224 + _t224;
								 *((short*)(_t202 + 0xa)) = _t237;
								 *((short*)(_t202 + 4)) = 0x10 + ( *(_t242 + 0x10) + _t224) * 2;
								 *((intOrPtr*)(_t202 + 6)) = 0;
								E01394D7E(_t202 + 0x14, _t242 - 0x107c);
								_t60 = _t237 + 2; // 0x3
								_t238 =  *(_t242 - 0x2c);
								 *((short*)(_t238 + 0xc)) = _t60;
								 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
								E01394D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 0xb) * 2, _t242 - 0x207c);
								_t139 =  *(_t242 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t238 + 0x10) = _t139;
								L19:
								_t203 = CreateFileW(_t229, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t242 + 0x10) = _t203;
								if(_t203 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t203, 0x900a4, _t238, ( *(_t238 + 4) & 0x0000ffff) + 8, 0, 0, _t242 - 0x30, 0);
								_t262 = _t145;
								if(_t145 != 0) {
									E0137943C(_t242 - 0x30a0);
									 *(_t242 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x30a0)) + 8))();
									_t239 =  *((intOrPtr*)(_t242 + 8));
									 *(_t242 - 0x309c) =  *(_t242 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E01379A7E(_t242 - 0x30a0, _t239,  ~( *(_t239 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t239 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t239 + 0x72d0)) & _t197 + 0x00001050);
									E013794DA(_t242 - 0x30a0);
									__eflags =  *((char*)(_t239 + 0x61a0));
									if( *((char*)(_t239 + 0x61a0)) == 0) {
										E0137A12F(_t229,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E0137946E(_t242 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t242 + 0x10));
								E01376BF5(_t262, 0x15, 0, _t229);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E0137FC98() == 0) {
										E01371567(_t242 - 0x7c, 0x18);
										_t160 = E01380A9F(_t242 - 0x7c);
									}
								}
								E0138E214(_t160);
								E01376E03(0x13b00e0, 9);
								_push(_t229);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t222 =  *(_t242 - 0x2c);
						_t226 =  *((intOrPtr*)(_t242 - 0x10));
						 *_t222 = 0xa0000003;
						_t241 = _t226 + _t226;
						 *((short*)(_t222 + 0xa)) = _t241;
						 *((short*)(_t222 + 4)) = 0xc + ( *(_t242 + 0x10) + _t226) * 2;
						 *((intOrPtr*)(_t222 + 6)) = 0;
						E01394D7E(_t222 + 0x10, _t242 - 0x107c);
						_t40 = _t241 + 2; // 0x3
						_t238 =  *(_t242 - 0x2c);
						 *((short*)(_t238 + 0xc)) = _t40;
						 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
						E01394D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 9) * 2, _t242 - 0x207c);
						goto L19;
					}
				}
				if( *(_t242 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E0137B4F2(_t197 + 0x1104);
				_t255 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t229);
				_push(_t197 + 0x28);
				_push(_t233);
				if(E013777F7(_t223, _t255) == 0) {
					goto L27;
				}
				goto L9;
			}
































              0x01376fc6
              0x01376fcb
              0x01376fd5
              0x01376fe7
              0x01376fea
              0x01376ff1
              0x01376ffb
              0x01377000
              0x01377000
              0x0137700b
              0x0137700e
              0x01377013
              0x01377016
              0x0137702d
              0x01377040
              0x01377043
              0x0137704b
              0x01377057
              0x0137705c
              0x01377061
              0x01377063
              0x01377065
              0x0137706a
              0x0137706e
              0x0137707c
              0x01377081
              0x01377086
              0x0137708a
              0x0137708b
              0x01377092
              0x01377098
              0x01377098
              0x01377086
              0x013770a0
              0x013770ac
              0x013770b1
              0x013770b7
              0x013770ba
              0x013770c4
              0x013770fe
              0x01377101
              0x01377102
              0x01377103
              0x0137710f
              0x01377146
              0x0137714c
              0x0137714e
              0x00000000
              0x00000000
              0x00000000
              0x0137711a
              0x0137712b
              0x01377134
              0x013772f4
              0x013772f4
              0x013772f8
              0x013772fb
              0x01377309
              0x01377313
              0x01377313
              0x0137713b
              0x01377154
              0x01377154
              0x0137715d
              0x013771c5
              0x013771c8
              0x013771d2
              0x013771d2
              0x013771d5
              0x013771dd
              0x013771e3
              0x013771e6
              0x013771f1
              0x013771f7
              0x01377205
              0x0137720a
              0x0137720d
              0x01377210
              0x01377219
              0x0137722e
              0x0137723c
              0x0137723c
              0x0137723f
              0x01377242
              0x0137725a
              0x0137725c
              0x01377262
              0x00000000
              0x00000000
              0x01377280
              0x01377286
              0x01377288
              0x01377324
              0x01377335
              0x01377339
              0x0137733c
              0x01377342
              0x01377356
              0x01377369
              0x0137737c
              0x01377387
              0x01377392
              0x01377397
              0x0137739e
              0x013773a4
              0x013773a4
              0x013773af
              0x00000000
              0x013773af
              0x01377292
              0x0137729d
              0x013772a2
              0x013772ab
              0x013772bb
              0x013772c2
              0x013772ca
              0x013772ca
              0x013772bb
              0x013772d6
              0x013772df
              0x013772eb
              0x013772ec
              0x01377316
              0x013772ee
              0x013772ee
              0x013772ee
              0x00000000
              0x013772ec
              0x013771ca
              0x013771cc
              0x00000000
              0x00000000
              0x00000000
              0x013771cc
              0x0137715f
              0x01377162
              0x0137716a
              0x01377170
              0x01377173
              0x0137717e
              0x01377184
              0x01377192
              0x01377197
              0x0137719a
              0x0137719d
              0x013771a6
              0x013771bb
              0x00000000
              0x013771c0
              0x0137710f
              0x013770ca
              0x00000000
              0x00000000
              0x013770d7
              0x013770dc
              0x013770de
              0x00000000
              0x00000000
              0x013770ea
              0x013770eb
              0x013770ef
              0x013770f0
              0x013770f8
              0x00000000
              0x00000000
              0x00000000

              APIs
              • __EH_prolog.LIBCMT ref: 01376FCB
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 0137712B
              • CloseHandle.KERNEL32(00000000), ref: 0137713B
                • Part of subcall function 01377A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 01377A24
                • Part of subcall function 01377A15: GetLastError.KERNEL32 ref: 01377A6A
                • Part of subcall function 01377A15: CloseHandle.KERNEL32(?), ref: 01377A79
              • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 01377146
              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 01377254
              • DeviceIoControl.KERNEL32 ref: 01377280
              • CloseHandle.KERNEL32(?), ref: 01377292
              • GetLastError.KERNEL32(00000015,00000000,?), ref: 013772A2
              • RemoveDirectoryW.KERNEL32(?), ref: 013772EE
              • DeleteFileW.KERNEL32(?), ref: 01377316
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
              • API String ID: 3935142422-3508440684
              • Opcode ID: 514f115e02acbe875164f2c03764dc71a4c5b316ae873dadd98e39cfabbd0fc2
              • Instruction ID: e295ad487769da2b1968c5a3e20d4a8db0b74dbbeeb99b1df6283f10c33f1174
              • Opcode Fuzzy Hash: 514f115e02acbe875164f2c03764dc71a4c5b316ae873dadd98e39cfabbd0fc2
              • Instruction Fuzzy Hash: 23B1BF759002199BEF35DFA8DC44BEE77B8EF08308F0445A9E919E7241D778AA45CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013730FC, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 84%
              			E013730FC(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				intOrPtr* _t396;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t396 = __ecx;
				_t546 = _t545 - 0x68;
				E0138D870(E013A11A9, _t544);
				E0138D940();
				_t394 = _t396;
				E0137C223(_t544 + 0x30, _t394);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(_t394 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					if(E0137C42E(_t498, 7) >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E0137C29E(_t544 + 0x30);
						_t531 = E0137C40A(_t544 + 0x30, 4);
						_t242 = E0137C39E(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E01371EF8(_t394);
							L86:
							E0137159C(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E0137C42E(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if( *(_t544 + 0x48) < _t534) {
							goto L17;
						}
						_t248 = E0137C37E(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E0137C39E(_t498);
						_t250 = E0137C39E(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E0137C39E(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E01371901(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E01373CA7( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E0137A96C(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E0137C39E(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E0137C39E(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E0137200C(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E0137A8D2(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E0137C39E(_t500);
									 *(_t539 + 0x1060) = E0137C39E(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E0137C39E(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E01380A25(_t539 + 0x1040, _t502, E0137C29E(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E0137C29E(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E0137C39E(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E0137C39E(_t502);
											_t521 = E0137C39E(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E0137C300(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E01381094();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E0137200C(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E01392B69(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E01371F3D(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E01376BF5(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E0137C39E(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E0137C39E(_t500) & 0x00000001;
										_t335 = E0137C251(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E0137C300(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E0137C300(_t544 + 0x30, _t394 + 0x2274, 8);
												E0137C300(_t544 + 0x30, _t544 + 0x64, 4);
												E0137F524(_t544 - 0x74);
												E0137F56A(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E0137F435(_t544 - 0x74);
												_t350 = E0138F3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E01373E41();
										E01373DEC(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E0137C39E(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E0137C39E(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E01371EF8(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E01376E03(0x13b00e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E01376BF5(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E01373DAB(_t394, _t498);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(_t394 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(_t394 + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(_t394 + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E01373C40(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E0137607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E0138F3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E01376BF5(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E01376E03(0x13b00e0, 0xb);
									goto L86;
								}
								_push(0x7d);
								E01376BF5(_t563);
								E0137E797( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E01373C40(_t394);
								E0137607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E01380FBA();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}





























































              0x013730fc
              0x013730fd
              0x01373105
              0x0137310f
              0x01373116
              0x0137311d
              0x01373124
              0x01373127
              0x01373130
              0x01373279
              0x01373279
              0x0137327c
              0x01373289
              0x0137329a
              0x013732a1
              0x013732b1
              0x013732bb
              0x013732bd
              0x013732c4
              0x013732c6
              0x013738f6
              0x013738f8
              0x013738fd
              0x01373900
              0x0137390e
              0x01373919
              0x01373919
              0x013732cc
              0x013732ce
              0x00000000
              0x00000000
              0x013732d4
              0x013732da
              0x013732dc
              0x013732dc
              0x013732de
              0x013732e1
              0x00000000
              0x00000000
              0x013732e7
              0x013732ea
              0x00000000
              0x00000000
              0x013732f4
              0x013732f9
              0x013732fc
              0x00000000
              0x00000000
              0x01373301
              0x01373313
              0x01373319
              0x0137331e
              0x01373329
              0x0137332b
              0x01373334
              0x0137333a
              0x01373340
              0x01373346
              0x01373349
              0x0137334c
              0x0137334e
              0x01373388
              0x01373388
              0x0137338a
              0x01373391
              0x01373394
              0x01373397
              0x013733c1
              0x013733c1
              0x013733c8
              0x013733ca
              0x013733cd
              0x013733d0
              0x013733d5
              0x013733da
              0x013733dc
              0x013733df
              0x013733df
              0x013733ea
              0x013733f7
              0x01373406
              0x0137340f
              0x01373417
              0x0137341e
              0x01373424
              0x01373426
              0x01373837
              0x01373846
              0x01373847
              0x01373851
              0x0137385a
              0x01373867
              0x01373876
              0x01373881
              0x01373884
              0x0137388a
              0x01373890
              0x01373892
              0x01373898
              0x0137389b
              0x013738b2
              0x0137389d
              0x013738a5
              0x013738ad
              0x013738af
              0x013738af
              0x013738b8
              0x013738bf
              0x013738c9
              0x013738c9
              0x00000000
              0x013738c1
              0x013738c1
              0x013738c7
              0x013738cb
              0x013738cb
              0x013738d1
              0x013738d6
              0x013738d9
              0x013738e9
              0x013738e9
              0x013738ee
              0x013738f1
              0x00000000
              0x013738f1
              0x00000000
              0x013738c7
              0x013738bf
              0x0137342c
              0x00000000
              0x00000000
              0x01373432
              0x01373435
              0x01373577
              0x0137357f
              0x0137358e
              0x01373592
              0x01373595
              0x0137359c
              0x013735a3
              0x013735ae
              0x013735b1
              0x013735b7
              0x013735c0
              0x013735c7
              0x013735d5
              0x013735e0
              0x013735ef
              0x013735ef
              0x013735f1
              0x013735f7
              0x013735fd
              0x01373604
              0x0137360a
              0x0137360a
              0x01373610
              0x01373616
              0x0137361c
              0x01373622
              0x01373628
              0x0137362a
              0x01373632
              0x01373632
              0x01373634
              0x00000000
              0x0137362c
              0x0137362c
              0x01373636
              0x01373636
              0x0137363f
              0x01373645
              0x0137364a
              0x01373651
              0x01373654
              0x01373667
              0x01373667
              0x0137366c
              0x01373673
              0x0137367a
              0x0137367f
              0x0137368e
              0x0137368e
              0x01373694
              0x0137369e
              0x013736a5
              0x013736ae
              0x013736b6
              0x013736b9
              0x013736bc
              0x013736bf
              0x013736c1
              0x013736c1
              0x013736d3
              0x013736e7
              0x013736e9
              0x013736f3
              0x013736f8
              0x013736fe
              0x01373700
              0x0137370a
              0x0137370c
              0x0137370e
              0x0137370e
              0x0137370e
              0x0137370e
              0x01373702
              0x01373702
              0x01373702
              0x01373715
              0x0137371f
              0x01373731
              0x01373737
              0x0137373b
              0x0137373e
              0x01373744
              0x0137374f
              0x0137374f
              0x0137374f
              0x00000000
              0x01373746
              0x01373746
              0x01373749
              0x00000000
              0x00000000
              0x0137374b
              0x01373751
              0x01373751
              0x0137375d
              0x01373762
              0x01373777
              0x0137377d
              0x0137378c
              0x01373791
              0x0137379c
              0x0137379e
              0x013737a0
              0x013737a0
              0x013737ad
              0x013737b2
              0x013737c0
              0x013737c5
              0x013737c8
              0x013737c9
              0x013737ca
              0x013737cf
              0x013737d4
              0x013737d7
              0x013737e1
              0x013737e1
              0x013737e6
              0x013737e9
              0x013737ec
              0x013737fe
              0x01373804
              0x0137380b
              0x0137380d
              0x0137380f
              0x0137380f
              0x00000000
              0x013737ee
              0x013737f1
              0x013737f6
              0x013737f9
              0x013737fc
              0x01373816
              0x01373816
              0x0137381a
              0x01373827
              0x01373827
              0x00000000
              0x0137381a
              0x00000000
              0x013737fc
              0x013737ec
              0x01373744
              0x0137362e
              0x01373630
              0x00000000
              0x00000000
              0x00000000
              0x01373630
              0x0137362a
              0x0137343b
              0x0137343e
              0x0137347f
              0x0137348c
              0x01373491
              0x01373496
              0x01373498
              0x013734cf
              0x013734da
              0x013734dd
              0x013734e3
              0x013734e6
              0x013734fc
              0x01373501
              0x01373508
              0x01373516
              0x01373524
              0x0137352d
              0x01373539
              0x01373541
              0x01373546
              0x01373555
              0x0137355f
              0x01373561
              0x01373561
              0x01373563
              0x01373563
              0x01373569
              0x00000000
              0x01373569
              0x013734e8
              0x013734e9
              0x013734a0
              0x013734a3
              0x013734a5
              0x013734a6
              0x013734b8
              0x00000000
              0x013734b8
              0x0137349a
              0x0137349b
              0x00000000
              0x0137349b
              0x01373440
              0x01373443
              0x0137344a
              0x01373457
              0x01373463
              0x0137346b
              0x01373472
              0x01373472
              0x00000000
              0x01373443
              0x013733a1
              0x013733a3
              0x013733a6
              0x013733a8
              0x013733ab
              0x013733ad
              0x00000000
              0x00000000
              0x013733af
              0x00000000
              0x00000000
              0x013733b5
              0x013733bb
              0x00000000
              0x00000000
              0x00000000
              0x013733bb
              0x01373352
              0x0137335e
              0x01373365
              0x0137336a
              0x0137336e
              0x00000000
              0x01373370
              0x01373377
              0x0137337c
              0x00000000
              0x0137337c
              0x0137336e
              0x0137328b
              0x0137328d
              0x00000000
              0x0137328d
              0x0137313e
              0x01373141
              0x01373143
              0x01373149
              0x00000000
              0x0137315d
              0x01373162
              0x01373164
              0x01373167
              0x01373171
              0x00000000
              0x00000000
              0x01373184
              0x01373193
              0x01373193
              0x01373197
              0x01373199
              0x013731b5
              0x013731c1
              0x013731cd
              0x013731d9
              0x01373255
              0x01373255
              0x00000000
              0x013731db
              0x013731db
              0x013731e1
              0x013731e8
              0x013731ed
              0x013731f2
              0x00000000
              0x00000000
              0x013731f4
              0x013731f8
              0x013731fb
              0x013731fc
              0x013731fd
              0x0137325a
              0x0137325c
              0x01373268
              0x0137326f
              0x00000000
              0x0137326f
              0x013731ff
              0x01373201
              0x01373212
              0x01373219
              0x01373241
              0x0137324d
              0x01373253
              0x00000000
              0x00000000
              0x00000000
              0x01373253
              0x00000000
              0x013731e1
              0x013731d9
              0x01373186
              0x0137318b
              0x01373191
              0x00000000
              0x00000000
              0x00000000
              0x01373191

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: H_prolog_memcmp
              • String ID: CMT$h%u$hc%u
              • API String ID: 3004599000-3282847064
              • Opcode ID: 35001a69d1ad24f2a77b579ab8704b1ef76379c1619fa3561c72a23dbd197b87
              • Instruction ID: c60cb3232ff564b9f2250da97380f2aef33ff4f35432db9f565dfd35f06931c2
              • Opcode Fuzzy Hash: 35001a69d1ad24f2a77b579ab8704b1ef76379c1619fa3561c72a23dbd197b87
              • Instruction Fuzzy Hash: 5C32D7715143899FEF24DF78C885AEA3BE5BF65308F04047DED4A8B282DB789548DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139C55E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 68%
              			E0139C55E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				void* _t1142;
				signed int _t1143;
				signed int _t1146;
				char _t1151;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				unsigned int _t1170;
				void* _t1174;
				void* _t1175;
				unsigned int _t1176;
				signed int _t1181;
				signed int _t1182;
				signed int _t1184;
				signed int _t1185;
				intOrPtr* _t1187;
				signed int _t1188;
				signed int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int _t1196;
				signed int _t1197;
				void* _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				void* _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int* _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				intOrPtr* _t1218;
				intOrPtr* _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1226;
				signed int _t1232;
				signed int _t1236;
				signed int _t1237;
				signed int _t1242;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1270;
				signed int _t1273;
				signed int _t1275;
				signed int* _t1276;
				signed int* _t1279;
				signed int _t1288;

				_t1142 = __edx;
				_t1273 = _t1275;
				_t1276 = _t1275 - 0x964;
				_t743 =  *0x13ad668; // 0x5221689b
				_v8 = _t743 ^ _t1273;
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1187 = _a16;
				_v1924 = _t1187;
				_v1920 = _t1055;
				E0139C078( &_v1944, __eflags);
				_t1236 = _a8;
				_t748 = 0x2d;
				if((_t1236 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1187 = _t748;
				 *((intOrPtr*)(_t1187 + 8)) = _t1055;
				_t1188 = _a4;
				if((_t1236 & 0x7ff00000) != 0) {
					L5:
					_t753 = E013986BF( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1188;
									_a8 = _t1236 & 0x7fffffff;
									_t1288 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1190 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1190 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1191 = _t1190 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1242 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1242;
									E0139E0C0(_t1078, _t1288);
									_push(_t1078);
									_push(_t1078);
									 *_t1276 = _t1288;
									_t790 = E013A0F10(E0139E1D0(_t1191, _t1242), _t1288);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1191;
									_v464 = _t1191;
									_t1061 = (0 | _t1191 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1242;
									if(_t1242 < 0) {
										__eflags = _t1242 - 0xfffffc02;
										if(_t1242 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E0139AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1260 = _t1109;
														_t1218 =  &_v468 + _t1109 * 4;
														_v1880 = _t1218;
														while(1) {
															__eflags = _t1260 - _t1061;
															if(_t1260 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1218;
															}
															_t210 = _t1260 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1170 = 0;
																__eflags = 0;
															} else {
																_t1170 =  *(_t1218 - 4);
															}
															_t1218 = _t1218 - 4;
															_t972 = _v1880;
															_t1260 = _t1260 - 1;
															 *_t972 = _t1170 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1260 - 0xffffffff;
															if(_t1260 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1242 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1194 = 1 - _t1242;
											E0138E920(_t1194,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1273 + 0xbad63d) = 1 << (_t1194 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1174 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1273 + _t1174 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0))) {
														goto L101;
													}
													_t1174 = _t1174 + 4;
													__eflags = _t1174 - 8;
													if(_t1174 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1175 = 0;
															__eflags = 0;
														} else {
															_t1175 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1261 = _t1110;
														__eflags = _t975 - _t1175 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1219 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1175 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1261 - _t1061;
															if(_t1261 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1219;
															}
															_t175 = _t1261 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1176 = 0;
																__eflags = 0;
															} else {
																_t1176 =  *(_t1219 - 4);
															}
															_t1219 = _t1219 - 4;
															_t981 = _v1880;
															_t1261 = _t1261 - 1;
															 *_t981 = _t1176 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1261 - 0xffffffff;
															if(_t1261 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1221 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1263 = _t1221 << 2;
														E0138E920(_t1221,  &_v1396, 0, _t1263);
														 *(_t1273 + _t1263 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1221 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E0139AA64( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1279 =  &(_t1276[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1264 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1264;
										__eflags = _t1061 - _t1264;
										if(_t1061 != _t1264) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1223 = _t992 >> 5;
											_v1872 = _t1223;
											_v1908 = _t1114 - _t993;
											_t996 = E0138DDA0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1181 = _t1061 + _t1223;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1181;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1181 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1181 - 0x00000073 > 0x00000000;
											__eflags = _t1181 - 0x73;
											if(_t1181 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E0139AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1181 - _t1119;
													if(_t1181 >= _t1119) {
														_t1181 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1181;
													_v1880 = _t1012;
													__eflags = _t1181 - 0xffffffff;
													if(_t1181 != 0xffffffff) {
														_t1182 = _v1872;
														_t1266 = _t1181 - _t1182;
														__eflags = _t1266;
														_t1123 =  &_v468 + _t1266 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1182;
															if(_t1012 < _t1182) {
																break;
															}
															__eflags = _t1266 - _t1061;
															if(_t1266 >= _t1061) {
																_t1226 = 0;
																__eflags = 0;
															} else {
																_t1226 =  *_t1123;
															}
															__eflags = _t1266 - 1 - _t1061;
															if(_t1266 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1273 + _t1020 * 4 - 0x1d0) = (_t1226 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1266 = _t1266 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1181 = _v1892;
														_t1223 = _v1872;
														_t1264 = 2;
													}
													__eflags = _t1223;
													if(_t1223 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1223 << 2);
														_t1276 =  &(_t1276[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1181;
													} else {
														_v472 = _t1181 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1264;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1273 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1273 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1268 = _t1023 >> 5;
													_v1876 = _t1268;
													_v1908 = _t1129;
													_t1027 = E0138DDA0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1184 = _t1268 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1184;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1184 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
													__eflags = _t1184 - 0x73;
													if(_t1184 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E0139AA64( &_v468, 0x1cc,  &_v1396, 0);
														_t1276 =  &(_t1276[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1184 - _t1134;
															if(_t1184 >= _t1134) {
																_t1184 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1184;
															_v1892 = _t1135;
															__eflags = _t1184 - 0xffffffff;
															if(_t1184 != 0xffffffff) {
																_t1185 = _v1876;
																_t1270 = _t1184 - _t1185;
																__eflags = _t1270;
																_t1043 =  &_v468 + _t1270 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1185;
																	if(_t1135 < _t1185) {
																		break;
																	}
																	__eflags = _t1270 - _t1061;
																	if(_t1270 >= _t1061) {
																		_t1232 = 0;
																		__eflags = 0;
																	} else {
																		_t1232 =  *_t1043;
																	}
																	__eflags = _t1270 - 1 - _t1061;
																	if(_t1270 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1273 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1232 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1270 = _t1270 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1184 = _v1880;
																_t1268 = _v1876;
															}
															__eflags = _t1268;
															if(_t1268 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1268 << 2);
																_t1276 =  &(_t1276[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1184;
															} else {
																_v472 = _t1184 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E0139AA64();
										_t1279 =  &(_t1276[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0x13a6a9c + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1201 = 0;
															_t1250 = 0;
															__eflags = 0;
															do {
																_t1155 = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) >> 0x20;
																 *(_t1273 + _t1250 * 4 - 0x1d0) = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) + _t1201;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1250 = _t1250 + 1;
																_t1201 = _t1155;
																__eflags = _t1250 - _t1096;
															} while (_t1250 != _t1096);
															__eflags = _t1201;
															if(_t1201 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1273 + _t856 * 4 - 0x1d0) = _t1201;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0x13a6a06 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0x13a6a06 + _t812 * 4) & 0x000000ff) + ( *(0x13a6a07 + _t812 * 4) & 0x000000ff);
												E0138E920(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E0138EA80( &(( &_v1396)[_t1097]), 0x13a6100 + ( *(0x13a6a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x13a6a07 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1204 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1156 =  &_v468;
														} else {
															_t1204 =  &_v468;
															_t1156 =  &_v1396;
														}
														_v1908 = _t1156;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1157 = 0;
														_t1252 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1157;
															_t870 = _t1157 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1205 = _t1204 -  &_v1860;
															__eflags = _t1205;
															_v1928 = _t1205;
															do {
																_t878 =  *(_t1273 + _t1205 + _t1252 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1206 = 0;
																	_t1099 = _t1252;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1205 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1157;
																			if(_t1099 == _t1157) {
																				 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1252;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1206;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1206 = _t886 * _v1896 >> 0x20;
																			_t1157 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1206;
																				if(_t1206 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1157;
																					if(_t1099 == _t1157) {
																						_t558 = _t1273 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1206;
																					_t1206 = 0;
																					 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t884;
																					_t1157 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1252 - _t1157;
																	if(_t1252 == _t1157) {
																		 *(_t1273 + _t1252 * 4 - 0x740) =  *(_t1273 + _t1252 * 4 - 0x740) & _t878;
																		_t526 = _t1252 + 1; // 0x1
																		_t1157 = _t526;
																		_v1864 = _t1157;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1252 = _t1252 + 1;
																__eflags = _t1252 - _t1098;
															} while (_t1252 != _t1098);
															goto L243;
														}
													} else {
														_t1207 = _v468;
														_v472 = _t1098;
														E0139AA64( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1207;
														if(_t1207 == 0) {
															goto L203;
														} else {
															__eflags = _t1207 - 1;
															if(_t1207 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1253 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1207;
																		_t1158 = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) >> 0x20;
																		 *(_t1273 + _t1253 * 4 - 0x1d0) = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1253 = _t1253 + 1;
																		_t1100 = _t1158;
																		__eflags = _t1253 - _v1896;
																	} while (_t1253 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1208 = _v1396;
													__eflags = _t1208;
													if(_t1208 != 0) {
														__eflags = _t1208 - 1;
														if(_t1208 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1254 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1208;
																	_t1159 = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) >> 0x20;
																	 *(_t1273 + _t1254 * 4 - 0x1d0) = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1254 = _t1254 + 1;
																	_t1101 = _t1159;
																	__eflags = _t1254 - _v1896;
																} while (_t1254 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E0139AA64( &_v468, _t1064,  &_v2404, 0);
																		_t1279 =  &(_t1279[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1273 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E0139AA64();
														_t1279 =  &(_t1279[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1209 =  *(0x13a6a9c + _t1102 * 4);
												__eflags = _t1209;
												if(_t1209 != 0) {
													__eflags = _t1209 - 1;
													if(_t1209 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1255 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1209;
																_t1163 = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1273 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) + _t1255;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1255 = _t1163;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1255;
															if(_t1255 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1273 + _t913 * 4 - 0x3a0) = _t1255;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0x13a6a06 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0x13a6a06 + _t908 * 4) & 0x000000ff) + ( *(0x13a6a07 + _t908 * 4) & 0x000000ff);
												E0138E920(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E0138EA80( &(( &_v1396)[_t1104]), 0x13a6100 + ( *(0x13a6a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x13a6a07 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1212 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1164 =  &_v932;
														} else {
															_t1212 =  &_v932;
															_t1164 =  &_v1396;
														}
														_v1876 = _t1164;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1165 = 0;
														_t1257 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1165;
															_t929 = _t1165 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1213 = _t1212 -  &_v1860;
															__eflags = _t1213;
															_v1928 = _t1213;
															do {
																_t937 =  *(_t1273 + _t1213 + _t1257 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1214 = 0;
																	_t1106 = _t1257;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1213 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1165;
																			if(_t1106 == _t1165) {
																				 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1257;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1214;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1214 = _t945 * _v1884 >> 0x20;
																			_t1165 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1214;
																				if(_t1214 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1165;
																					if(_t1106 == _t1165) {
																						_t370 = _t1273 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1214;
																					_t1214 = 0;
																					 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t943;
																					_t1165 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1257 - _t1165;
																	if(_t1257 == _t1165) {
																		 *(_t1273 + _t1257 * 4 - 0x740) =  *(_t1273 + _t1257 * 4 - 0x740) & _t937;
																		_t338 = _t1257 + 1; // 0x1
																		_t1165 = _t338;
																		_v1864 = _t1165;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1257 = _t1257 + 1;
																__eflags = _t1257 - _t1105;
															} while (_t1257 != _t1105);
															goto L177;
														}
													} else {
														_t1215 = _v932;
														_v936 = _t1105;
														E0139AA64( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1215;
														if(_t1215 != 0) {
															__eflags = _t1215 - 1;
															if(_t1215 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1258 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1215;
																		_t1166 = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) >> 0x20;
																		 *(_t1273 + _t1258 * 4 - 0x3a0) = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1258 = _t1258 + 1;
																		_t1107 = _t1166;
																		__eflags = _t1258 - _v1884;
																	} while (_t1258 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1216 = _v1396;
													__eflags = _t1216;
													if(_t1216 != 0) {
														__eflags = _t1216 - 1;
														if(_t1216 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1259 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1216;
																	_t1167 = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) >> 0x20;
																	 *(_t1273 + _t1259 * 4 - 0x3a0) = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1259 = _t1259 + 1;
																	_t1108 = _t1167;
																	__eflags = _t1259 - _v1884;
																} while (_t1259 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1273 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E0139AA64();
																		_t1279 =  &(_t1279[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E0139AA64();
														_t1279 =  &(_t1279[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E0139AA64();
													_t1279 =  &(_t1279[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1196 = _v1920;
									_t1245 = _t1196;
									_t1086 = _v472;
									_v1872 = _t1245;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1249 = 0;
										_t1200 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1273 + _t1200 * 4 - 0x1d0);
											_t1153 = 0xa;
											_t1154 = _t841 * _t1153 >> 0x20;
											 *(_t1273 + _t1200 * 4 - 0x1d0) = _t841 * _t1153 + _t1249;
											asm("adc edx, 0x0");
											_t1200 = _t1200 + 1;
											_t1249 = _t1154;
											__eflags = _t1200 - _t1086;
										} while (_t1200 != _t1086);
										_v1896 = _t1249;
										__eflags = _t1249;
										_t1245 = _v1872;
										if(_t1249 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E0139AA64( &_v468, _t1064,  &_v2404, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												 *(_t1273 + _t1095 * 4 - 0x1d0) = _t1154;
												_v472 = _v472 + 1;
											}
										}
										_t1196 = _t1245;
									}
									_t815 = E0139C0B0( &_v472,  &_v936);
									_t1146 = 0xa;
									__eflags = _t815 - _t1146;
									if(_t815 != _t1146) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1245 = _t1196 + 1;
											 *_t1196 = _t816;
											_v1872 = _t1245;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1245 = _t1196 + 1;
										_t832 = _v936;
										 *_t1196 = 0x31;
										_v1872 = _t1245;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1199 = 0;
											_t1248 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1273 + _t1094 * 4 - 0x3a0);
												 *(_t1273 + _t1094 * 4 - 0x3a0) = _t833 * _t1146 + _t1199;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1199 = _t833 * _t1146 >> 0x20;
												_t1146 = 0xa;
												__eflags = _t1094 - _t1248;
											} while (_t1094 != _t1248);
											_t1245 = _v1872;
											__eflags = _t1199;
											if(_t1199 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E0139AA64( &_v932, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t836 * 4 - 0x3a0) = _t1199;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1245 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1197 = 0;
											_t1246 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1273 + _t1090 * 4 - 0x1d0);
												 *(_t1273 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1197;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1197 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1246;
											} while (_t1090 != _t1246);
											_t1247 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E0139AA64( &_v468, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t826 * 4 - 0x1d0) = _t1197;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E0139C0B0( &_v472,  &_v936);
											_t1198 = 8;
											_t1070 = _v1916 - _t1247;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1151 = _t708 + 0x30;
												__eflags = _t1070 - _t1198;
												if(_t1070 >= _t1198) {
													 *((char*)(_t1198 + _t1247)) = _t1151;
												}
												_t1198 = _t1198 - 1;
												__eflags = _t1198 - 0xffffffff;
											} while (_t1198 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1245 = _t1247 + _t1070;
											_v1872 = _t1245;
											__eflags = _t1245 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1245 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1236 & 0x000fffff;
					if((_t1188 | _t1236 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x13a6ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E013979F6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E01397DBB();
							asm("int3");
							E0138E2F0(_t1142, 0x13aa9e8, 0x10);
							_v32 = _v32 & 0x00000000;
							E01399931(8);
							_pop(_t1071);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1237 = 3;
							while(1) {
								_v36 = _t1237;
								__eflags = _t1237 -  *0x13d0404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x13d0408; // 0x0
								_t764 =  *(_t763 + _t1237 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x13d0408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1237 * 4)));
										_t774 = E0139EC83(_t1071, _t1142, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x13d0408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1237 * 4)) + 0x20);
									_t770 =  *0x13d0408; // 0x0
									E01397A50( *((intOrPtr*)(_t770 + _t1237 * 4)));
									_pop(_t1071);
									_t772 =  *0x13d0408; // 0x0
									_t737 = _t772 + _t1237 * 4;
									 *_t737 =  *(_t772 + _t1237 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1237 = _t1237 + 1;
							}
							_v8 = 0xfffffffe;
							E0139D991();
							return E0138E336(_t1142);
						} else {
							L309:
							_t1286 = _v1936;
							if(_v1936 != 0) {
								_t755 = E0139DFE5(_t1070, _t1286,  &_v1944);
							}
							return E0138E203(_t755, _v8 ^ _t1273);
						}
					}
				}
			}































































































































































































































































              0x0139c55e
              0x0139c561
              0x0139c563
              0x0139c569
              0x0139c570
              0x0139c574
              0x0139c57d
              0x0139c57e
              0x0139c57f
              0x0139c582
              0x0139c588
              0x0139c58e
              0x0139c593
              0x0139c5a2
              0x0139c5a4
              0x0139c5a6
              0x0139c5a6
              0x0139c5ad
              0x0139c5b7
              0x0139c5bc
              0x0139c5bf
              0x0139c5e3
              0x0139c5e7
              0x0139c5ec
              0x0139c5ed
              0x0139c5ef
              0x0139c5f1
              0x0139c5f7
              0x0139c5f7
              0x0139c5fe
              0x0139c5fe
              0x0139c601
              0x0139d8b1
              0x00000000
              0x0139c607
              0x0139c607
              0x0139c607
              0x0139c60a
              0x0139d8aa
              0x00000000
              0x0139c610
              0x0139c610
              0x0139c610
              0x0139c613
              0x0139d8a3
              0x00000000
              0x0139c619
              0x0139c619
              0x0139c61c
              0x0139d89c
              0x00000000
              0x0139c622
              0x0139c62b
              0x0139c633
              0x0139c636
              0x0139c639
              0x0139c63c
              0x0139c642
              0x0139c64a
              0x0139c650
              0x0139c65a
              0x0139c65a
              0x0139c65d
              0x0139c665
              0x0139c66c
              0x0139c66c
              0x0139c65f
              0x0139c65f
              0x0139c661
              0x0139c674
              0x0139c67a
              0x0139c67c
              0x0139c680
              0x0139c685
              0x0139c692
              0x0139c694
              0x0139c69a
              0x0139c69f
              0x0139c6a0
              0x0139c6a1
              0x0139c6ab
              0x0139c6b0
              0x0139c6b6
              0x0139c6bb
              0x0139c6c4
              0x0139c6c4
              0x0139c6c6
              0x0139c6bd
              0x0139c6bd
              0x0139c6c2
              0x00000000
              0x00000000
              0x0139c6c2
              0x0139c6cc
              0x0139c6d4
              0x0139c6d6
              0x0139c6df
              0x0139c6e0
              0x0139c6e6
              0x0139c6e8
              0x0139cadb
              0x0139cae1
              0x0139cc00
              0x0139cc00
              0x0139cc07
              0x0139cc07
              0x0139cc07
              0x0139cc0e
              0x0139cc11
              0x0139cc18
              0x0139cc18
              0x0139cc13
              0x0139cc13
              0x0139cc13
              0x0139cc1c
              0x0139cc1d
              0x0139cc1f
              0x0139cc22
              0x0139cc25
              0x0139cc28
              0x0139cc2e
              0x0139cc31
              0x0139cc34
              0x0139cc3e
              0x0139cc3e
              0x0139cc3e
              0x0139cc36
              0x0139cc36
              0x0139cc38
              0x00000000
              0x0139cc3a
              0x0139cc3a
              0x0139cc3a
              0x0139cc38
              0x0139cc40
              0x0139cc42
              0x0139cce3
              0x0139cce3
              0x0139ccf0
              0x0139ccf0
              0x0139ccf0
              0x0139cd06
              0x0139cd0b
              0x0139cc48
              0x0139cc48
              0x0139cc4a
              0x00000000
              0x0139cc50
              0x0139cc52
              0x0139cc53
              0x0139cc55
              0x0139cc57
              0x0139cc57
              0x0139cc59
              0x0139cc5c
              0x0139cc64
              0x0139cc66
              0x0139cc69
              0x0139cc6f
              0x0139cc6f
              0x0139cc71
              0x0139cc7d
              0x0139cc7d
              0x0139cc7d
              0x0139cc73
              0x0139cc75
              0x0139cc75
              0x0139cc84
              0x0139cc87
              0x0139cc89
              0x0139cc90
              0x0139cc90
              0x0139cc8b
              0x0139cc8b
              0x0139cc8b
              0x0139cc98
              0x0139cca2
              0x0139cca8
              0x0139cca9
              0x0139ccae
              0x0139ccb4
              0x0139ccb7
              0x00000000
              0x00000000
              0x0139ccb9
              0x0139ccb9
              0x0139ccc1
              0x0139ccc1
              0x0139ccc7
              0x0139ccce
              0x0139ccdb
              0x0139ccd0
              0x0139ccd0
              0x0139ccd3
              0x0139ccd3
              0x0139ccce
              0x0139cc4a
              0x0139cd17
              0x0139cd27
              0x0139cd34
              0x0139cd36
              0x0139cd3d
              0x0139cae7
              0x0139cae7
              0x0139caf0
              0x0139caf1
              0x0139cafb
              0x0139cb01
              0x0139cb03
              0x0139cb09
              0x0139cb09
              0x0139cb0b
              0x0139cb0b
              0x0139cb12
              0x0139cb19
              0x00000000
              0x00000000
              0x0139cb1f
              0x0139cb22
              0x0139cb25
              0x00000000
              0x0139cb27
              0x0139cb27
              0x0139cb27
              0x0139cb27
              0x0139cb2e
              0x0139cb31
              0x0139cb38
              0x0139cb38
              0x0139cb33
              0x0139cb33
              0x0139cb33
              0x0139cb3c
              0x0139cb3f
              0x0139cb41
              0x0139cb43
              0x0139cb49
              0x0139cb4f
              0x0139cb51
              0x0139cb51
              0x0139cb51
              0x0139cb58
              0x0139cb58
              0x0139cb5a
              0x0139cb66
              0x0139cb66
              0x0139cb66
              0x0139cb5c
              0x0139cb5e
              0x0139cb5e
              0x0139cb6d
              0x0139cb70
              0x0139cb72
              0x0139cb79
              0x0139cb79
              0x0139cb74
              0x0139cb74
              0x0139cb74
              0x0139cb81
              0x0139cb8c
              0x0139cb92
              0x0139cb93
              0x0139cb98
              0x0139cb9e
              0x0139cba1
              0x00000000
              0x00000000
              0x0139cba3
              0x0139cba3
              0x0139cbad
              0x0139cbb8
              0x0139cbc0
              0x0139cbc6
              0x0139cbd1
              0x0139cbd7
              0x0139cbde
              0x0139cbf1
              0x0139cbf8
              0x0139cbf8
              0x00000000
              0x0139cb25
              0x0139cb0b
              0x00000000
              0x0139cb03
              0x0139cd40
              0x0139cd40
              0x0139cd46
              0x0139cd4b
              0x0139cd51
              0x0139cd64
              0x0139cd69
              0x0139c6ee
              0x0139c6ee
              0x0139c6f7
              0x0139c6f8
              0x0139c702
              0x0139c708
              0x0139c70a
              0x0139c910
              0x0139c918
              0x0139c91b
              0x0139c920
              0x0139c923
              0x0139c92b
              0x0139c92f
              0x0139c935
              0x0139c93b
              0x0139c940
              0x0139c947
              0x0139c948
              0x0139c948
              0x0139c948
              0x0139c94f
              0x0139c952
              0x0139c95a
              0x0139c960
              0x0139c965
              0x0139c965
              0x0139c962
              0x0139c962
              0x0139c962
              0x0139c969
              0x0139c96a
              0x0139c96c
              0x0139c96f
              0x0139c975
              0x0139c97b
              0x0139c97e
              0x0139c981
              0x0139c987
              0x0139c98a
              0x0139c98d
              0x0139c997
              0x0139c997
              0x0139c997
              0x0139c98f
              0x0139c98f
              0x0139c991
              0x00000000
              0x0139c993
              0x0139c993
              0x0139c993
              0x0139c991
              0x0139c999
              0x0139c99b
              0x0139ca8d
              0x0139ca8d
              0x0139ca8f
              0x0139ca95
              0x0139ca9b
              0x0139cab0
              0x0139cab5
              0x0139c9a1
              0x0139c9a1
              0x0139c9a3
              0x00000000
              0x0139c9a9
              0x0139c9ab
              0x0139c9ac
              0x0139c9ae
              0x0139c9b0
              0x0139c9b2
              0x0139c9b2
              0x0139c9b8
              0x0139c9ba
              0x0139c9c0
              0x0139c9c3
              0x0139c9d1
              0x0139c9d7
              0x0139c9d7
              0x0139c9d9
              0x0139c9dc
              0x0139c9e2
              0x0139c9e2
              0x0139c9e4
              0x00000000
              0x00000000
              0x0139c9e6
              0x0139c9e8
              0x0139c9ee
              0x0139c9ee
              0x0139c9ea
              0x0139c9ea
              0x0139c9ea
              0x0139c9f3
              0x0139c9f5
              0x0139c9fc
              0x0139c9fc
              0x0139c9f7
              0x0139c9f7
              0x0139c9f7
              0x0139ca22
              0x0139ca28
              0x0139ca2b
              0x0139ca31
              0x0139ca38
              0x0139ca39
              0x0139ca3a
              0x0139ca40
              0x0139ca43
              0x0139ca45
              0x00000000
              0x0139ca45
              0x00000000
              0x0139ca43
              0x0139ca4d
              0x0139ca53
              0x0139ca5b
              0x0139ca5b
              0x0139ca5c
              0x0139ca5e
              0x0139ca62
              0x0139ca6a
              0x0139ca6a
              0x0139ca6a
              0x0139ca6c
              0x0139ca73
              0x0139ca78
              0x0139ca85
              0x0139ca7a
              0x0139ca7d
              0x0139ca7d
              0x0139ca78
              0x0139c9a3
              0x0139cab8
              0x0139cac2
              0x0139cac8
              0x0139cace
              0x0139cad4
              0x0139c710
              0x0139c710
              0x0139c710
              0x0139c712
              0x0139c719
              0x0139c720
              0x00000000
              0x00000000
              0x0139c726
              0x0139c729
              0x0139c72c
              0x00000000
              0x0139c72e
              0x0139c736
              0x0139c73b
              0x0139c740
              0x0139c741
              0x0139c743
              0x0139c74b
              0x0139c74f
              0x0139c755
              0x0139c75b
              0x0139c760
              0x0139c767
              0x0139c767
              0x0139c768
              0x0139c76b
              0x0139c773
              0x0139c779
              0x0139c77e
              0x0139c77e
              0x0139c77b
              0x0139c77b
              0x0139c77b
              0x0139c782
              0x0139c783
              0x0139c785
              0x0139c788
              0x0139c78e
              0x0139c794
              0x0139c797
              0x0139c79a
              0x0139c7a0
              0x0139c7a3
              0x0139c7a6
              0x0139c7b0
              0x0139c7b0
              0x0139c7b0
              0x0139c7a8
              0x0139c7a8
              0x0139c7aa
              0x00000000
              0x0139c7ac
              0x0139c7ac
              0x0139c7ac
              0x0139c7aa
              0x0139c7b2
              0x0139c7b4
              0x0139c8a9
              0x0139c8a9
              0x0139c8ab
              0x0139c8b1
              0x0139c8b7
              0x0139c8cc
              0x0139c8d1
              0x0139c7ba
              0x0139c7ba
              0x0139c7bc
              0x00000000
              0x0139c7c2
              0x0139c7c4
              0x0139c7c5
              0x0139c7c7
              0x0139c7c9
              0x0139c7cb
              0x0139c7cb
              0x0139c7d1
              0x0139c7d3
              0x0139c7d9
              0x0139c7dc
              0x0139c7ea
              0x0139c7f0
              0x0139c7f0
              0x0139c7f2
              0x0139c7f5
              0x0139c7fb
              0x0139c7fb
              0x0139c7fd
              0x00000000
              0x00000000
              0x0139c7ff
              0x0139c801
              0x0139c807
              0x0139c807
              0x0139c803
              0x0139c803
              0x0139c803
              0x0139c80c
              0x0139c80e
              0x0139c81b
              0x0139c81b
              0x0139c810
              0x0139c816
              0x0139c816
              0x0139c839
              0x0139c841
              0x0139c848
              0x0139c84f
              0x0139c850
              0x0139c853
              0x0139c859
              0x0139c85f
              0x0139c862
              0x0139c864
              0x00000000
              0x0139c864
              0x00000000
              0x0139c862
              0x0139c86c
              0x0139c872
              0x0139c872
              0x0139c878
              0x0139c87a
              0x0139c884
              0x0139c886
              0x0139c886
              0x0139c886
              0x0139c888
              0x0139c88f
              0x0139c894
              0x0139c8a1
              0x0139c896
              0x0139c899
              0x0139c899
              0x0139c894
              0x0139c7bc
              0x0139c8d4
              0x0139c8df
              0x0139c8e0
              0x0139c8e1
              0x0139c8e7
              0x0139c8ed
              0x0139c8f3
              0x0139c8f3
              0x00000000
              0x0139c72c
              0x00000000
              0x0139c712
              0x0139c8f4
              0x0139c8fa
              0x0139c901
              0x0139c902
              0x0139c903
              0x0139c908
              0x0139c908
              0x0139cd6c
              0x0139cd76
              0x0139cd77
              0x0139cd7d
              0x0139cd7f
              0x0139d1e8
              0x0139d1ea
              0x0139d1ec
              0x0139d1f2
              0x0139d1f4
              0x0139d1fa
              0x0139d1fc
              0x0139d54e
              0x0139d54e
              0x0139d550
              0x0139d556
              0x0139d55d
              0x0139d563
              0x0139d565
              0x0139d603
              0x0139d603
              0x0139d605
              0x0139d606
              0x0139d60c
              0x00000000
              0x0139d56b
              0x0139d56b
              0x0139d56e
              0x0139d574
              0x0139d57a
              0x0139d57c
              0x0139d582
              0x0139d584
              0x0139d584
              0x0139d586
              0x0139d586
              0x0139d58f
              0x0139d596
              0x0139d59c
              0x0139d59f
              0x0139d5a0
              0x0139d5a2
              0x0139d5a2
              0x0139d5a6
              0x0139d5a8
              0x0139d5aa
              0x0139d5b0
              0x0139d5b3
              0x00000000
              0x0139d5b5
              0x0139d5b5
              0x0139d5bc
              0x0139d5bc
              0x0139d5b3
              0x0139d5a8
              0x0139d57c
              0x0139d56e
              0x0139d565
              0x0139d202
              0x0139d202
              0x0139d202
              0x0139d205
              0x0139d209
              0x0139d209
              0x0139d20a
              0x0139d21c
              0x0139d229
              0x0139d238
              0x0139d262
              0x0139d267
              0x0139d26d
              0x0139d270
              0x0139d276
              0x0139d279
              0x0139d312
              0x0139d319
              0x0139d397
              0x0139d39d
              0x0139d3a3
              0x0139d3a6
              0x0139d3a8
              0x0139d431
              0x0139d3ae
              0x0139d3ae
              0x0139d3b4
              0x0139d3b4
              0x0139d3ba
              0x0139d3c0
              0x0139d3c2
              0x0139d3c4
              0x0139d3c4
              0x0139d3ca
              0x0139d3d0
              0x0139d3d2
              0x0139d3da
              0x0139d3da
              0x0139d3e0
              0x0139d3e2
              0x0139d3e4
              0x0139d3ea
              0x0139d3ec
              0x0139d503
              0x0139d505
              0x0139d50b
              0x0139d50b
              0x0139d50e
              0x0139d50f
              0x00000000
              0x0139d3f2
              0x0139d3f8
              0x0139d3f8
              0x0139d3fa
              0x0139d400
              0x0139d403
              0x0139d40a
              0x0139d410
              0x0139d412
              0x0139d439
              0x0139d43b
              0x0139d43d
              0x0139d43f
              0x0139d445
              0x0139d44b
              0x0139d4e5
              0x0139d4e5
              0x0139d4e8
              0x00000000
              0x0139d4ee
              0x0139d4ee
              0x0139d4f4
              0x00000000
              0x0139d4f4
              0x0139d451
              0x0139d451
              0x0139d451
              0x0139d454
              0x00000000
              0x00000000
              0x0139d456
              0x0139d458
              0x0139d45a
              0x0139d463
              0x0139d463
              0x0139d465
              0x0139d46b
              0x0139d46b
              0x0139d477
              0x0139d482
              0x0139d485
              0x0139d492
              0x0139d495
              0x0139d496
              0x0139d497
              0x0139d49d
              0x0139d49f
              0x0139d4a5
              0x0139d4ab
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139d4ad
              0x0139d4ad
              0x0139d4ad
              0x0139d4af
              0x00000000
              0x00000000
              0x0139d4b1
              0x0139d4b4
              0x00000000
              0x0139d4ba
              0x0139d4ba
              0x0139d4bc
              0x0139d4be
              0x0139d4be
              0x0139d4be
              0x0139d4c6
              0x0139d4c9
              0x0139d4c9
              0x0139d4cf
              0x0139d4d1
              0x0139d4d3
              0x0139d4da
              0x0139d4e0
              0x0139d4e2
              0x00000000
              0x0139d4e2
              0x00000000
              0x0139d4b4
              0x00000000
              0x0139d4ad
              0x00000000
              0x0139d451
              0x0139d414
              0x0139d414
              0x0139d416
              0x0139d41c
              0x0139d423
              0x0139d423
              0x0139d426
              0x0139d426
              0x00000000
              0x0139d416
              0x00000000
              0x0139d4fa
              0x0139d4fa
              0x0139d4fb
              0x0139d4fb
              0x00000000
              0x0139d400
              0x0139d31b
              0x0139d31b
              0x0139d32d
              0x0139d33c
              0x0139d341
              0x0139d344
              0x0139d346
              0x00000000
              0x0139d34c
              0x0139d34c
              0x0139d34f
              0x00000000
              0x0139d355
              0x0139d355
              0x0139d35c
              0x00000000
              0x0139d362
              0x0139d368
              0x0139d36a
              0x0139d370
              0x0139d370
              0x0139d372
              0x0139d372
              0x0139d374
              0x0139d37d
              0x0139d384
              0x0139d387
              0x0139d388
              0x0139d38a
              0x0139d38a
              0x00000000
              0x0139d392
              0x0139d35c
              0x0139d34f
              0x0139d346
              0x0139d27f
              0x0139d27f
              0x0139d285
              0x0139d287
              0x0139d2a3
              0x0139d2a6
              0x00000000
              0x0139d2ac
              0x0139d2ac
              0x0139d2b3
              0x00000000
              0x0139d2b9
              0x0139d2bf
              0x0139d2c1
              0x0139d2c7
              0x0139d2c7
              0x0139d2c9
              0x0139d2c9
              0x0139d2cb
              0x0139d2d4
              0x0139d2db
              0x0139d2de
              0x0139d2df
              0x0139d2e1
              0x0139d2e1
              0x0139d2e9
              0x0139d2e9
              0x0139d2eb
              0x00000000
              0x0139d2f1
              0x0139d2f1
              0x0139d2f7
              0x0139d2fa
              0x0139d5c4
              0x0139d5c7
              0x0139d5cd
              0x0139d5e2
              0x0139d5e7
              0x0139d5ea
              0x0139d300
              0x0139d300
              0x0139d307
              0x00000000
              0x0139d307
              0x0139d2fa
              0x0139d2eb
              0x0139d2b3
              0x0139d289
              0x0139d289
              0x0139d28b
              0x0139d291
              0x0139d297
              0x0139d298
              0x0139d515
              0x0139d515
              0x0139d51c
              0x0139d51d
              0x0139d51e
              0x0139d523
              0x0139d526
              0x0139d526
              0x0139d526
              0x0139d287
              0x0139d528
              0x0139d528
              0x0139d52a
              0x0139d5f1
              0x0139d5f8
              0x0139d5ff
              0x0139d612
              0x0139d618
              0x0139d619
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139d530
              0x0139d536
              0x0139d536
              0x0139d53c
              0x0139d53c
              0x0139d548
              0x00000000
              0x0139d548
              0x0139cd85
              0x0139cd85
              0x0139cd87
              0x0139cd8d
              0x0139cd8f
              0x0139cd95
              0x0139cd97
              0x0139d10e
              0x0139d10e
              0x0139d110
              0x0139d116
              0x0139d11d
              0x0139d11f
              0x0139d17e
              0x0139d181
              0x0139d187
              0x0139d18d
              0x0139d193
              0x0139d195
              0x0139d19b
              0x0139d19d
              0x0139d19d
              0x0139d19f
              0x0139d19f
              0x0139d1a1
              0x0139d1aa
              0x0139d1b1
              0x0139d1b4
              0x0139d1b5
              0x0139d1b7
              0x0139d1b7
              0x0139d1bf
              0x0139d1c1
              0x0139d1c7
              0x0139d1cd
              0x0139d1d0
              0x00000000
              0x0139d1d6
              0x0139d1d6
              0x0139d1dd
              0x0139d1dd
              0x0139d1d0
              0x0139d1c1
              0x0139d195
              0x0139d121
              0x0139d121
              0x0139d123
              0x0139d129
              0x0139d12f
              0x00000000
              0x0139d12f
              0x0139d11f
              0x0139cd9d
              0x0139cd9d
              0x0139cd9d
              0x0139cda0
              0x0139cda4
              0x0139cda4
              0x0139cda5
              0x0139cdb7
              0x0139cdc4
              0x0139cdd3
              0x0139cdfd
              0x0139ce02
              0x0139ce08
              0x0139ce0b
              0x0139ce11
              0x0139ce14
              0x0139ce90
              0x0139ce97
              0x0139cf5b
              0x0139cf61
              0x0139cf67
              0x0139cf6a
              0x0139cf6c
              0x0139cff5
              0x0139cf72
              0x0139cf72
              0x0139cf78
              0x0139cf78
              0x0139cf7e
              0x0139cf84
              0x0139cf86
              0x0139cf88
              0x0139cf88
              0x0139cf8e
              0x0139cf94
              0x0139cf96
              0x0139cf9e
              0x0139cf9e
              0x0139cfa4
              0x0139cfa6
              0x0139cfa8
              0x0139cfae
              0x0139cfb0
              0x0139d0c7
              0x0139d0c9
              0x0139d0cf
              0x0139d0cf
              0x00000000
              0x0139cfb6
              0x0139cfbc
              0x0139cfbc
              0x0139cfbe
              0x0139cfc4
              0x0139cfc7
              0x0139cfce
              0x0139cfd4
              0x0139cfd6
              0x0139cffd
              0x0139cfff
              0x0139d001
              0x0139d003
              0x0139d009
              0x0139d00f
              0x0139d0a9
              0x0139d0a9
              0x0139d0ac
              0x00000000
              0x0139d0b2
              0x0139d0b2
              0x0139d0b8
              0x00000000
              0x0139d0b8
              0x0139d015
              0x0139d015
              0x0139d015
              0x0139d018
              0x00000000
              0x00000000
              0x0139d01a
              0x0139d01c
              0x0139d01e
              0x0139d027
              0x0139d027
              0x0139d029
              0x0139d02f
              0x0139d02f
              0x0139d03b
              0x0139d046
              0x0139d049
              0x0139d056
              0x0139d059
              0x0139d05a
              0x0139d05b
              0x0139d061
              0x0139d063
              0x0139d069
              0x0139d06f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139d071
              0x0139d071
              0x0139d071
              0x0139d073
              0x00000000
              0x00000000
              0x0139d075
              0x0139d078
              0x0139d132
              0x0139d132
              0x0139d134
              0x0139d13a
              0x0139d140
              0x0139d141
              0x00000000
              0x0139d07e
              0x0139d07e
              0x0139d080
              0x0139d082
              0x0139d082
              0x0139d082
              0x0139d08a
              0x0139d08d
              0x0139d08d
              0x0139d093
              0x0139d095
              0x0139d097
              0x0139d09e
              0x0139d0a4
              0x0139d0a6
              0x00000000
              0x0139d0a6
              0x00000000
              0x0139d078
              0x00000000
              0x0139d071
              0x00000000
              0x0139d015
              0x0139cfd8
              0x0139cfd8
              0x0139cfda
              0x0139cfe0
              0x0139cfe7
              0x0139cfe7
              0x0139cfea
              0x0139cfea
              0x00000000
              0x0139cfda
              0x00000000
              0x0139d0be
              0x0139d0be
              0x0139d0bf
              0x0139d0bf
              0x00000000
              0x0139cfc4
              0x0139ce9d
              0x0139ce9d
              0x0139ceaf
              0x0139cebe
              0x0139cec3
              0x0139cec6
              0x0139cec8
              0x0139cee4
              0x0139cee7
              0x00000000
              0x0139ceed
              0x0139ceed
              0x0139cef4
              0x00000000
              0x0139cefa
              0x0139cf00
              0x0139cf02
              0x0139cf08
              0x0139cf08
              0x0139cf0a
              0x0139cf0a
              0x0139cf0c
              0x0139cf15
              0x0139cf1c
              0x0139cf1f
              0x0139cf20
              0x0139cf22
              0x0139cf22
              0x00000000
              0x0139cf0a
              0x0139cef4
              0x0139ceca
              0x0139cecc
              0x0139ced2
              0x0139ced8
              0x0139ced9
              0x00000000
              0x0139ced9
              0x0139cec8
              0x0139ce16
              0x0139ce16
              0x0139ce1c
              0x0139ce1e
              0x0139ce33
              0x0139ce36
              0x00000000
              0x0139ce3c
              0x0139ce3c
              0x0139ce43
              0x00000000
              0x0139ce49
              0x0139ce4f
              0x0139ce51
              0x0139ce57
              0x0139ce57
              0x0139ce59
              0x0139ce59
              0x0139ce5b
              0x0139ce64
              0x0139ce6b
              0x0139ce6e
              0x0139ce6f
              0x0139ce71
              0x0139ce71
              0x0139cf2a
              0x0139cf2a
              0x0139cf2c
              0x00000000
              0x0139cf32
              0x0139cf32
              0x0139cf38
              0x0139cf3b
              0x0139ce7e
              0x0139ce85
              0x00000000
              0x0139cf41
              0x0139cf43
              0x0139cf49
              0x0139cf4f
              0x0139cf50
              0x0139d147
              0x0139d147
              0x0139d14e
              0x0139d14f
              0x0139d150
              0x0139d155
              0x0139d158
              0x0139d158
              0x0139cf3b
              0x0139cf2c
              0x0139ce43
              0x0139ce20
              0x0139ce20
              0x0139ce22
              0x0139ce28
              0x0139d0d2
              0x0139d0d2
              0x0139d0d3
              0x0139d0d9
              0x0139d0d9
              0x0139d0e0
              0x0139d0e1
              0x0139d0e2
              0x0139d0e7
              0x0139d0ea
              0x0139d0ea
              0x0139d0ea
              0x0139ce1e
              0x0139d0ec
              0x0139d0ec
              0x0139d0ee
              0x0139d15c
              0x0139d163
              0x0139d163
              0x0139d163
              0x0139d16a
              0x0139d16c
              0x0139d172
              0x0139d173
              0x0139d61f
              0x0139d61f
              0x0139d620
              0x0139d621
              0x0139d626
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139d0f0
              0x0139d0f6
              0x0139d0f6
              0x0139d0fc
              0x0139d0fc
              0x0139d108
              0x00000000
              0x0139d108
              0x0139cd97
              0x0139d629
              0x0139d629
              0x0139d62f
              0x0139d631
              0x0139d637
              0x0139d63d
              0x0139d63f
              0x0139d641
              0x0139d643
              0x0139d643
              0x0139d645
              0x0139d645
              0x0139d64e
              0x0139d64f
              0x0139d653
              0x0139d65a
              0x0139d65d
              0x0139d65e
              0x0139d660
              0x0139d660
              0x0139d664
              0x0139d66a
              0x0139d66c
              0x0139d672
              0x0139d674
              0x0139d67a
              0x0139d67d
              0x0139d690
              0x0139d693
              0x0139d699
              0x0139d6ae
              0x0139d6b3
              0x0139d67f
              0x0139d681
              0x0139d688
              0x0139d688
              0x0139d67d
              0x0139d6b6
              0x0139d6b6
              0x0139d6c6
              0x0139d6cf
              0x0139d6d0
              0x0139d6d2
              0x0139d769
              0x0139d76b
              0x0139d776
              0x0139d776
              0x0139d778
              0x0139d77b
              0x0139d77d
              0x00000000
              0x0139d76d
              0x0139d773
              0x0139d773
              0x0139d6d8
              0x0139d6d8
              0x0139d6de
              0x0139d6e1
              0x0139d6e7
              0x0139d6ea
              0x0139d6f0
              0x0139d6f2
              0x0139d6f8
              0x0139d6fa
              0x0139d6fc
              0x0139d6fc
              0x0139d6fe
              0x0139d6fe
              0x0139d70b
              0x0139d712
              0x0139d715
              0x0139d716
              0x0139d718
              0x0139d719
              0x0139d719
              0x0139d71d
              0x0139d723
              0x0139d725
              0x0139d727
              0x0139d72d
              0x0139d730
              0x0139d744
              0x0139d74a
              0x0139d75f
              0x0139d764
              0x0139d732
              0x0139d732
              0x0139d739
              0x0139d739
              0x0139d730
              0x0139d725
              0x0139d783
              0x0139d783
              0x0139d783
              0x0139d78f
              0x0139d792
              0x0139d798
              0x0139d79a
              0x0139d79c
              0x0139d7a2
              0x0139d7a4
              0x0139d7a4
              0x0139d7a4
              0x0139d7a2
              0x0139d7a9
              0x0139d7aa
              0x0139d7ac
              0x0139d7ae
              0x0139d7ae
              0x0139d7b0
              0x0139d7b6
              0x0139d7bc
              0x0139d7be
              0x0139d7c4
              0x0139d7c4
              0x0139d7ca
              0x0139d7cc
              0x00000000
              0x00000000
              0x0139d7d2
              0x0139d7d4
              0x0139d7d6
              0x0139d7d6
              0x0139d7d8
              0x0139d7d8
              0x0139d7e8
              0x0139d7ef
              0x0139d7f2
              0x0139d7f3
              0x0139d7f5
              0x0139d7f5
              0x0139d7f9
              0x0139d7ff
              0x0139d801
              0x0139d803
              0x0139d809
              0x0139d80c
              0x0139d81d
              0x0139d820
              0x0139d826
              0x0139d83b
              0x0139d840
              0x0139d80e
              0x0139d80e
              0x0139d815
              0x0139d815
              0x0139d80c
              0x0139d851
              0x0139d860
              0x0139d861
              0x0139d861
              0x0139d863
              0x0139d865
              0x0139d865
              0x0139d86b
              0x0139d86e
              0x0139d870
              0x0139d872
              0x0139d872
              0x0139d875
              0x0139d876
              0x0139d876
              0x0139d87b
              0x0139d87e
              0x0139d882
              0x0139d882
              0x0139d883
              0x0139d885
              0x0139d88b
              0x0139d891
              0x00000000
              0x00000000
              0x00000000
              0x0139d891
              0x0139d7c4
              0x0139d897
              0x0139d897
              0x00000000
              0x0139d897
              0x0139c61c
              0x0139c613
              0x0139c60a
              0x0139c5c1
              0x0139c5c5
              0x0139c5cd
              0x00000000
              0x0139c5cf
              0x0139c5d5
              0x0139c5da
              0x0139d8b6
              0x0139d8b6
              0x0139d8b9
              0x0139d8c4
              0x0139d8ef
              0x0139d8f0
              0x0139d8f1
              0x0139d8f2
              0x0139d8f3
              0x0139d8f4
              0x0139d8f9
              0x0139d901
              0x0139d906
              0x0139d90c
              0x0139d911
              0x0139d912
              0x0139d912
              0x0139d912
              0x0139d918
              0x0139d919
              0x0139d919
              0x0139d91c
              0x0139d922
              0x00000000
              0x00000000
              0x0139d924
              0x0139d929
              0x0139d92c
              0x0139d92e
              0x0139d936
              0x0139d938
              0x0139d93a
              0x0139d93f
              0x0139d942
              0x0139d948
              0x0139d94b
              0x0139d94d
              0x0139d94d
              0x0139d94d
              0x0139d94d
              0x0139d94b
              0x0139d950
              0x0139d95c
              0x0139d962
              0x0139d96a
              0x0139d96f
              0x0139d970
              0x0139d975
              0x0139d975
              0x0139d975
              0x0139d975
              0x0139d979
              0x0139d979
              0x0139d97c
              0x0139d983
              0x0139d990
              0x0139d8c6
              0x0139d8c6
              0x0139d8c6
              0x0139d8d0
              0x0139d8d9
              0x0139d8de
              0x0139d8ec
              0x0139d8ec
              0x0139d8c4
              0x0139c5cd

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: 474a1cbc8ec9a7ad487d88f64c500ea143b4c2012d2009c044eedf8abf606ee6
              • Instruction ID: f89ef625c1970c7d8fb986b42f1c084003b006f82b9a9fb40389bbcda50caa96
              • Opcode Fuzzy Hash: 474a1cbc8ec9a7ad487d88f64c500ea143b4c2012d2009c044eedf8abf606ee6
              • Instruction Fuzzy Hash: 8BC26A72E086298FDF25CE68DD417EAB7B9EB44318F1441EAD50DE7241E778AE818F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01372692, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 783COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 93%
              			E01372692(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t333;
				signed int _t337;
				char _t356;
				signed short _t363;
				signed int _t368;
				signed int _t374;
				signed char _t376;
				signed char _t379;
				char _t396;
				signed int _t397;
				signed int _t401;
				signed char _t415;
				intOrPtr _t416;
				char _t417;
				signed int _t420;
				signed int _t421;
				signed char _t426;
				signed int _t429;
				signed int _t433;
				signed short _t438;
				signed short _t443;
				unsigned int _t448;
				signed int _t451;
				void* _t454;
				signed int _t456;
				signed int _t459;
				void* _t466;
				signed int _t472;
				unsigned int _t476;
				void* _t477;
				void* _t484;
				void* _t485;
				signed char _t491;
				signed int _t505;
				intOrPtr* _t518;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				signed int _t531;
				signed int _t536;
				signed int _t538;
				unsigned int _t547;
				signed int _t549;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				void* _t586;
				signed int _t590;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				unsigned int _t612;
				signed char _t628;
				signed char _t638;
				signed int _t641;
				unsigned int _t642;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				unsigned int _t651;
				signed int _t655;
				void* _t656;
				void* _t663;
				signed int _t666;
				signed int _t667;
				signed char _t668;
				signed int _t671;
				void* _t673;
				signed int _t679;
				signed int _t680;
				void* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t694;
				signed int _t695;
				intOrPtr _t697;
				void* _t698;
				signed char _t707;

				_t523 = __ecx;
				E0138D870(E013A1197, _t698);
				E0138D940();
				_t518 = _t523;
				 *((intOrPtr*)(_t698 + 0x20)) = _t518;
				E0137C223(_t698 + 0x24, _t518);
				 *((intOrPtr*)(_t698 + 0x1c)) = 0;
				 *((intOrPtr*)(_t698 - 4)) = 0;
				_t655 = 7;
				if( *(_t518 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t698 + 0x5f)) = 0;
					L7:
					E0137C42E(_t638, _t655);
					if( *((intOrPtr*)(_t698 + 0x3c)) != 0) {
						 *(_t518 + 0x21e4) = E0137C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f4) = 0;
						_t679 = E0137C251(_t698 + 0x24) & 0x000000ff;
						_t333 = E0137C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21ec) = _t333;
						 *(_t518 + 0x21f4) = _t333 >> 0x0000000e & 0x00000001;
						_t531 = E0137C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f0) = _t531;
						 *(_t518 + 0x21e8) = _t679;
						__eflags = _t531 - _t655;
						if(_t531 >= _t655) {
							_t680 = _t679 - 0x73;
							__eflags = _t680;
							if(_t680 == 0) {
								 *(_t518 + 0x21e8) = 1;
							} else {
								_t694 = _t680 - 1;
								__eflags = _t694;
								if(_t694 == 0) {
									 *(_t518 + 0x21e8) = 2;
								} else {
									_t695 = _t694 - 6;
									__eflags = _t695;
									if(_t695 == 0) {
										 *(_t518 + 0x21e8) = 3;
									} else {
										__eflags = _t695 == 1;
										if(_t695 == 1) {
											 *(_t518 + 0x21e8) = 5;
										}
									}
								}
							}
							_t337 =  *(_t518 + 0x21e8);
							 *(_t518 + 0x21dc) = _t337;
							__eflags = _t337 - 0x75;
							if(_t337 != 0x75) {
								__eflags = _t337 - 1;
								if(_t337 != 1) {
									L23:
									_push(_t531 - 7);
									L24:
									E0137C42E(_t638);
									 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca0)) + E01371901(_t518,  *(_t518 + 0x21f0));
									_t536 =  *(_t518 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t518 + 0x6cac) =  *(_t518 + 0x6ca4);
									 *(_t698 + 0x50) = _t536;
									__eflags = _t536 - 1;
									if(__eflags == 0) {
										_t656 = _t518 + 0x2208;
										E0137A96C(_t656);
										_t538 = 5;
										memcpy(_t656, _t518 + 0x21e4, _t538 << 2);
										 *(_t518 + 0x221c) = E0137C269(_t698 + 0x24);
										_t638 = E0137C29E(_t698 + 0x24);
										 *(_t518 + 0x2220) = _t638;
										 *(_t518 + 0x6cb5) =  *(_t518 + 0x2210) & 0x00000001;
										 *(_t518 + 0x6cb4) =  *(_t518 + 0x2210) >> 0x00000003 & 0x00000001;
										_t547 =  *(_t518 + 0x2210);
										 *(_t518 + 0x6cb7) = _t547 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x6cbb) = _t547 >> 0x00000006 & 0x00000001;
										 *(_t518 + 0x6cbc) = _t547 >> 0x00000007 & 0x00000001;
										__eflags = _t638;
										if(_t638 != 0) {
											L119:
											_t356 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t518 + 0x6cb8)) = _t356;
											 *(_t518 + 0x2224) = _t547 >> 0x00000001 & 0x00000001;
											_t549 = _t547 >> 0x00000004 & 0x00000001;
											__eflags = _t549;
											 *(_t518 + 0x6cb9) = _t547 >> 0x00000008 & 0x00000001;
											 *(_t518 + 0x6cba) = _t549;
											L121:
											_t655 = 7;
											L122:
											_t363 = E0137C34F(_t698 + 0x24, 0);
											__eflags =  *(_t518 + 0x21e4) - (_t363 & 0x0000ffff);
											if( *(_t518 + 0x21e4) == (_t363 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t698 + 0x1c)) =  *((intOrPtr*)(_t698 + 0x3c));
												goto L133;
											}
											_t368 =  *(_t518 + 0x21e8);
											__eflags = _t368 - 0x79;
											if(_t368 == 0x79) {
												goto L132;
											}
											__eflags = _t368 - 0x76;
											if(_t368 == 0x76) {
												goto L132;
											}
											__eflags = _t368 - 5;
											if(_t368 != 5) {
												L130:
												 *((char*)(_t518 + 0x6cc4)) = 1;
												E01376E03(0x13b00e0, 3);
												__eflags =  *((char*)(_t698 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E01376BF5(__eflags, 4, _t518 + 0x1e, _t518 + 0x1e);
												 *((char*)(_t518 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t518 + 0x45ae);
											if( *(_t518 + 0x45ae) == 0) {
												goto L130;
											}
											_t374 =  *((intOrPtr*)( *_t518 + 0x14))() - _t655;
											__eflags = _t374;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t518 + 0x10))(_t374, _t638, 0);
											 *(_t698 + 0x5e) = 1;
											do {
												_t376 = E0137972B(_t518);
												asm("sbb al, al");
												_t379 =  !( ~_t376) &  *(_t698 + 0x5e);
												 *(_t698 + 0x5e) = _t379;
												_t655 = _t655 - 1;
												__eflags = _t655;
											} while (_t655 != 0);
											__eflags = _t379;
											if(_t379 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t356 = 0;
										__eflags =  *(_t518 + 0x221c);
										if( *(_t518 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t518 + 0x21ec) & 0x00008000;
										if(( *(_t518 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca8)) + E0137C29E(_t698 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t536 - 3;
									if(_t536 <= 3) {
										__eflags = _t536 - 2;
										_t64 = (0 | _t536 != 0x00000002) - 1; // -1
										_t663 = (_t64 & 0xffffdcb0) + 0x45d0 + _t518;
										 *(_t698 + 0x48) = _t663;
										E0137A8D2(_t663, 0);
										_t560 = 5;
										memcpy(_t663, _t518 + 0x21e4, _t560 << 2);
										_t685 =  *(_t698 + 0x48);
										_t666 =  *(_t698 + 0x50);
										_t562 =  *(_t685 + 8);
										 *(_t685 + 0x1098) =  *(_t685 + 8) & 1;
										 *(_t685 + 0x1099) = _t562 >> 0x00000001 & 1;
										 *(_t685 + 0x109b) = _t562 >> 0x00000002 & 1;
										 *(_t685 + 0x10a0) = _t562 >> 0x0000000a & 1;
										__eflags = _t666 - 2;
										if(_t666 != 2) {
											L35:
											_t641 = 0;
											__eflags = 0;
											_t396 = 0;
											L36:
											 *((char*)(_t685 + 0x10f0)) = _t396;
											__eflags = _t666 - 2;
											if(_t666 == 2) {
												L39:
												_t397 = _t641;
												L40:
												 *(_t685 + 0x10fa) = _t397;
												_t563 = _t562 & 0x000000e0;
												__eflags = _t563 - 0xe0;
												 *((char*)(_t685 + 0x10f1)) = 0 | _t563 == 0x000000e0;
												__eflags = _t563 - 0xe0;
												if(_t563 != 0xe0) {
													_t642 =  *(_t685 + 8);
													_t401 = 0x10000 << (_t642 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t401 = _t641;
													_t642 =  *(_t685 + 8);
												}
												 *(_t685 + 0x10f4) = _t401;
												 *(_t685 + 0x10f3) = _t642 >> 0x0000000b & 0x00000001;
												 *(_t685 + 0x10f2) = _t642 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t685 + 0x14)) = E0137C29E(_t698 + 0x24);
												 *(_t698 + 0x54) = E0137C29E(_t698 + 0x24);
												 *((char*)(_t685 + 0x18)) = E0137C251(_t698 + 0x24);
												 *(_t685 + 0x1070) = 2;
												 *((intOrPtr*)(_t685 + 0x1074)) = E0137C29E(_t698 + 0x24);
												 *(_t698 + 0x18) = E0137C29E(_t698 + 0x24);
												 *(_t685 + 0x1c) = E0137C251(_t698 + 0x24) & 0x000000ff;
												 *((char*)(_t685 + 0x20)) = E0137C251(_t698 + 0x24) - 0x30;
												 *(_t698 + 0x4c) = E0137C269(_t698 + 0x24) & 0x0000ffff;
												_t415 = E0137C29E(_t698 + 0x24);
												_t645 =  *(_t685 + 0x1c);
												 *(_t698 + 0x58) = _t415;
												 *(_t685 + 0x24) = _t415;
												__eflags = _t645 - 0x14;
												if(_t645 < 0x14) {
													__eflags = _t415 & 0x00000010;
													if((_t415 & 0x00000010) != 0) {
														 *((char*)(_t685 + 0x10f1)) = 1;
													}
												}
												 *(_t685 + 0x109c) = 0;
												__eflags =  *(_t685 + 0x109b);
												if( *(_t685 + 0x109b) == 0) {
													L55:
													_t416 =  *((intOrPtr*)(_t685 + 0x18));
													 *(_t685 + 0x10fc) = 2;
													__eflags = _t416 - 3;
													if(_t416 == 3) {
														L59:
														 *(_t685 + 0x10fc) = 1;
														L60:
														 *(_t685 + 0x1100) = 0;
														__eflags = _t416 - 3;
														if(_t416 == 3) {
															__eflags = ( *(_t698 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t698 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t685 + 0x1100) = 1;
																 *((short*)(_t685 + 0x1104)) = 0;
															}
														}
														__eflags = _t666 - 2;
														if(_t666 == 2) {
															L66:
															_t417 = 0;
															goto L67;
														} else {
															__eflags =  *(_t685 + 0x24);
															if( *(_t685 + 0x24) >= 0) {
																goto L66;
															}
															_t417 = 1;
															L67:
															 *((char*)(_t685 + 0x10f8)) = _t417;
															_t420 =  *(_t685 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t420;
															 *(_t685 + 0x10f9) = _t420;
															if(_t420 == 0) {
																__eflags =  *(_t698 + 0x54) - 0xffffffff;
																_t638 = 0;
																_t667 = 0;
																_t137 =  *(_t698 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t421 = _t420 & 0xffffff00 | _t137;
																L73:
																 *(_t685 + 0x109a) = _t421;
																 *((intOrPtr*)(_t685 + 0x1058)) = 0 +  *((intOrPtr*)(_t685 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t685 + 0x105c)) = _t667;
																asm("adc edx, ecx");
																 *(_t685 + 0x1060) = 0 +  *(_t698 + 0x54);
																__eflags =  *(_t685 + 0x109a);
																 *(_t685 + 0x1064) = _t638;
																if( *(_t685 + 0x109a) != 0) {
																	 *(_t685 + 0x1060) = 0x7fffffff;
																	 *(_t685 + 0x1064) = 0x7fffffff;
																}
																_t426 =  *(_t698 + 0x4c);
																_t668 = 0x1fff;
																 *(_t698 + 0x54) = 0x1fff;
																__eflags = _t426 - 0x1fff;
																if(_t426 < 0x1fff) {
																	_t668 = _t426;
																	 *(_t698 + 0x54) = _t426;
																}
																E0137C300(_t698 + 0x24, _t698 - 0x2030, _t668);
																_t429 = 0;
																__eflags =  *(_t698 + 0x50) - 2;
																 *((char*)(_t698 + _t668 - 0x2030)) = 0;
																if( *(_t698 + 0x50) != 2) {
																	 *(_t698 + 0x50) = _t685 + 0x28;
																	_t432 = E01380FDE(_t698 - 0x2030, _t685 + 0x28, 0x800);
																	_t671 =  *((intOrPtr*)(_t685 + 0xc)) -  *(_t698 + 0x4c) - 0x20;
																	__eflags =  *(_t685 + 8) & 0x00000400;
																	if(( *(_t685 + 8) & 0x00000400) != 0) {
																		_t671 = _t671 - 8;
																		__eflags = _t671;
																	}
																	__eflags = _t671;
																	if(_t671 <= 0) {
																		_t672 = _t685 + 0x28;
																	} else {
																		 *(_t698 + 0x58) = _t685 + 0x1028;
																		E01371EDE(_t685 + 0x1028, _t671);
																		_t466 = E0137C300(_t698 + 0x24,  *(_t685 + 0x1028), _t671);
																		_t672 = _t685 + 0x28;
																		_t432 = E01392B69(_t466, _t685 + 0x28, L"RR");
																		__eflags = _t432;
																		if(_t432 == 0) {
																			__eflags =  *((intOrPtr*)(_t685 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t685 + 0x102c)) >= 0x14) {
																				_t673 =  *( *(_t698 + 0x58));
																				asm("cdq");
																				_t602 =  *(_t673 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t604 = (_t602 << 8) + ( *(_t673 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t606 = (_t604 << 8) + ( *(_t673 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t472 = (_t606 << 8) + ( *(_t673 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t518 + 0x21c0) = _t472 << 9;
																				 *(_t518 + 0x21c4) = ((((_t638 << 0x00000020 | _t602) << 0x8 << 0x00000020 | _t604) << 0x8 << 0x00000020 | _t606) << 0x8 << 0x00000020 | _t472) << 9;
																				_t476 = E0137F749( *(_t518 + 0x21c0),  *(_t518 + 0x21c4),  *((intOrPtr*)( *_t518 + 0x14))(), _t638);
																				 *(_t518 + 0x21c8) = _t476;
																				 *(_t698 + 0x58) = _t476;
																				_t477 = E0138D890(_t475, _t638, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t432 = E0137F749(_t477 +  *(_t518 + 0x21c0), _t638, _t475, _t638);
																				_t612 =  *(_t698 + 0x58);
																				_t685 =  *(_t698 + 0x48);
																				_t672 =  *(_t698 + 0x50);
																				__eflags = _t432 - _t612;
																				if(_t432 > _t612) {
																					_t432 = _t612 + 1;
																					 *(_t518 + 0x21c8) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t433 = E01392B69(_t432, _t672, L"CMT");
																	__eflags = _t433;
																	if(_t433 == 0) {
																		 *((char*)(_t518 + 0x6cb6)) = 1;
																	}
																} else {
																	_t672 = _t685 + 0x28;
																	 *_t672 = 0;
																	__eflags =  *(_t685 + 8) & 0x00000200;
																	if(( *(_t685 + 8) & 0x00000200) != 0) {
																		E013769E0(_t698);
																		_t484 = E01392BB0(_t698 - 0x2030);
																		_t638 =  *(_t698 + 0x54);
																		_t485 = _t484 + 1;
																		__eflags = _t638 - _t485;
																		if(_t638 > _t485) {
																			__eflags = _t485 + _t698 - 0x2030;
																			E013769F1(_t698, _t698 - 0x2030, _t638, _t485 + _t698 - 0x2030, _t638 - _t485, _t672, 0x800);
																		}
																		_t429 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t672 - _t429;
																	if( *_t672 == _t429) {
																		_push(1);
																		_push(0x800);
																		_push(_t672);
																		_push(_t698 - 0x2030);
																		E0137F79F();
																	}
																	E01371F3D(_t518, _t685);
																}
																__eflags =  *(_t685 + 8) & 0x00000400;
																if(( *(_t685 + 8) & 0x00000400) != 0) {
																	E0137C300(_t698 + 0x24, _t685 + 0x10a1, 8);
																}
																E013808B2( *(_t698 + 0x18));
																__eflags =  *(_t685 + 8) & 0x00001000;
																if(( *(_t685 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t518 + 0x6ca8)) = E01373CA7( *((intOrPtr*)(_t518 + 0x6ca8)),  *(_t518 + 0x6cac),  *((intOrPtr*)(_t685 + 0x1058)),  *((intOrPtr*)(_t685 + 0x105c)), 0, 0);
																	 *(_t518 + 0x6cac) = _t638;
																	 *((char*)(_t698 + 0x20)) =  *(_t685 + 0x10f2);
																	_t438 = E0137C34F(_t698 + 0x24,  *((intOrPtr*)(_t698 + 0x20)));
																	__eflags =  *_t685 - (_t438 & 0x0000ffff);
																	if( *_t685 != (_t438 & 0x0000ffff)) {
																		 *((char*)(_t518 + 0x6cc4)) = 1;
																		E01376E03(0x13b00e0, 1);
																		__eflags =  *((char*)(_t698 + 0x5f));
																		if(__eflags == 0) {
																			E01376BF5(__eflags, 0x1c, _t518 + 0x1e, _t672);
																		}
																	}
																	goto L121;
																} else {
																	_t443 = E0137C269(_t698 + 0x24);
																	 *((intOrPtr*)(_t698 + 4)) = _t518 + 0x32c0;
																	 *((intOrPtr*)(_t698 + 8)) = _t518 + 0x32c8;
																	 *((intOrPtr*)(_t698 + 0xc)) = _t518 + 0x32d0;
																	__eflags = 0;
																	_t686 = 0;
																	 *((intOrPtr*)(_t698 + 0x10)) = 0;
																	_t448 = _t443 & 0x0000ffff;
																	 *(_t698 + 0x4c) = 0;
																	 *(_t698 + 0x58) = _t448;
																	do {
																		_t586 = 3;
																		_t521 = _t448 >> _t586 - _t686 << 2;
																		__eflags = _t521 & 0x00000008;
																		if((_t521 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t698 + 4 + _t686 * 4);
																		if( *(_t698 + 4 + _t686 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t686;
																		if(__eflags != 0) {
																			E013808B2(E0137C29E(_t698 + 0x24));
																		}
																		E013806E0( *(_t698 + 4 + _t686 * 4), _t638, __eflags, _t698 - 0x30);
																		__eflags = _t521 & 0x00000004;
																		if((_t521 & 0x00000004) != 0) {
																			_t249 = _t698 - 0x1c;
																			 *_t249 =  *(_t698 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t590 = 0;
																		 *(_t698 - 0x18) = 0;
																		_t522 = _t521 & 0x00000003;
																		__eflags = _t522;
																		if(_t522 <= 0) {
																			L109:
																			_t451 = _t590 * 0x64;
																			__eflags = _t451;
																			 *(_t698 - 0x18) = _t451;
																			E01380910( *(_t698 + 4 + _t686 * 4), _t638, _t698 - 0x30);
																			_t448 =  *(_t698 + 0x58);
																		} else {
																			_t454 = 3;
																			_t456 = _t454 - _t522 << 3;
																			__eflags = _t456;
																			 *(_t698 + 0x18) = _t456;
																			_t687 = _t456;
																			do {
																				_t459 = (E0137C251(_t698 + 0x24) & 0x000000ff) << _t687;
																				_t687 = _t687 + 8;
																				_t590 =  *(_t698 - 0x18) | _t459;
																				 *(_t698 - 0x18) = _t590;
																				_t522 = _t522 - 1;
																				__eflags = _t522;
																			} while (_t522 != 0);
																			_t686 =  *(_t698 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t686 = _t686 + 1;
																		 *(_t698 + 0x4c) = _t686;
																		__eflags = _t686 - 4;
																	} while (_t686 < 4);
																	_t518 =  *((intOrPtr*)(_t698 + 0x20));
																	_t685 =  *(_t698 + 0x48);
																	goto L112;
																}
															}
															_t667 = E0137C29E(_t698 + 0x24);
															_t491 = E0137C29E(_t698 + 0x24);
															__eflags =  *(_t698 + 0x54) - 0xffffffff;
															_t638 = _t491;
															if( *(_t698 + 0x54) != 0xffffffff) {
																L71:
																_t421 = 0;
																goto L73;
															}
															__eflags = _t638 - 0xffffffff;
															if(_t638 != 0xffffffff) {
																goto L71;
															}
															_t421 = 1;
															goto L73;
														}
													}
													__eflags = _t416 - 5;
													if(_t416 == 5) {
														goto L59;
													}
													__eflags = _t416 - 6;
													if(_t416 < 6) {
														 *(_t685 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t646 = _t645 - 0xd;
													__eflags = _t646;
													if(_t646 == 0) {
														 *(_t685 + 0x109c) = 1;
														goto L55;
													}
													_t648 = _t646;
													__eflags = _t648;
													if(_t648 == 0) {
														 *(_t685 + 0x109c) = 2;
														goto L55;
													}
													_t649 = _t648 - 5;
													__eflags = _t649;
													if(_t649 == 0) {
														L52:
														 *(_t685 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t649 == 6;
													if(_t649 == 6) {
														goto L52;
													}
													 *(_t685 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t562 & 0x00000010;
											if((_t562 & 0x00000010) == 0) {
												goto L39;
											}
											_t397 = 1;
											goto L40;
										}
										__eflags = _t562 & 0x00000010;
										if((_t562 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t396 = 1;
											_t641 = 0;
											goto L36;
										}
									}
									__eflags = _t536 - 5;
									if(_t536 != 5) {
										goto L115;
									} else {
										memcpy(_t518 + 0x4590, _t518 + 0x21e4, _t536 << 2);
										_t651 =  *(_t518 + 0x4598);
										 *(_t518 + 0x45ac) =  *(_t518 + 0x4598) & 0x00000001;
										_t628 = _t651 >> 0x00000001 & 0x00000001;
										_t638 = _t651 >> 0x00000003 & 0x00000001;
										 *(_t518 + 0x45ad) = _t628;
										 *(_t518 + 0x45ae) = _t651 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x45af) = _t638;
										__eflags = _t628;
										if(_t628 != 0) {
											 *((intOrPtr*)(_t518 + 0x45a4)) = E0137C29E(_t698 + 0x24);
										}
										__eflags =  *(_t518 + 0x45af);
										if( *(_t518 + 0x45af) != 0) {
											_t505 = E0137C269(_t698 + 0x24) & 0x0000ffff;
											 *(_t518 + 0x45a8) = _t505;
											 *(_t518 + 0x6cd8) = _t505;
										}
										goto L121;
									}
								}
								__eflags =  *(_t518 + 0x21ec) & 0x00000002;
								if(( *(_t518 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E01371EF8(_t518);
							L133:
							E0137159C(_t698 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t698 - 0xc));
							return  *((intOrPtr*)(_t698 + 0x1c));
						}
					}
					L8:
					E01373DAB(_t518, _t638);
					goto L133;
				}
				_t638 =  *((intOrPtr*)(_t518 + 0x6cc0)) + _t655;
				asm("adc eax, ecx");
				_t707 =  *(_t518 + 0x6ca4);
				if(_t707 < 0 || _t707 <= 0 &&  *((intOrPtr*)(_t518 + 0x6ca0)) <= _t638) {
					goto L6;
				} else {
					 *((char*)(_t698 + 0x5f)) = 1;
					E01373C40(_t518);
					_push(8);
					_push(_t698 + 0x14);
					if( *((intOrPtr*)( *_t518 + 0xc))() != 8) {
						goto L8;
					} else {
						_t697 = _t518 + 0x1024;
						E0137607D(_t697, 0, 4,  *((intOrPtr*)(_t518 + 0x21bc)) + 0x5024, _t698 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t698 + 0x44)) = _t697;
						goto L7;
					}
				}
			}



















































































              0x01372692
              0x0137269b
              0x013726a5
              0x013726ac
              0x013726b3
              0x013726b6
              0x013726bf
              0x013726c2
              0x013726c5
              0x013726cc
              0x01372734
              0x01372734
              0x01372737
              0x0137273b
              0x01372744
              0x01372760
              0x01372766
              0x01372775
              0x0137277d
              0x01372783
              0x0137278e
              0x01372799
              0x0137279c
              0x013727a2
              0x013727a8
              0x013727aa
              0x013727b8
              0x013727b8
              0x013727bb
              0x013727f0
              0x013727bd
              0x013727bd
              0x013727bd
              0x013727c0
              0x013727e4
              0x013727c2
              0x013727c2
              0x013727c2
              0x013727c5
              0x013727d8
              0x013727c7
              0x013727c7
              0x013727ca
              0x013727cc
              0x013727cc
              0x013727ca
              0x013727c5
              0x013727c0
              0x013727fa
              0x01372800
              0x01372806
              0x01372809
              0x0137280f
              0x01372812
              0x0137281d
              0x01372820
              0x01372821
              0x01372824
              0x01372844
              0x0137284a
              0x01372850
              0x01372853
              0x01372859
              0x0137285c
              0x0137285f
              0x01372f78
              0x01372f80
              0x01372f87
              0x01372f8e
              0x01372f9b
              0x01372fad
              0x01372fb2
              0x01372fb8
              0x01372fca
              0x01372fd0
              0x01372fdd
              0x01372fea
              0x01372ff7
              0x01372ffd
              0x01372fff
              0x0137300c
              0x0137300e
              0x0137300e
              0x0137300f
              0x0137300f
              0x0137301b
              0x0137302b
              0x0137302b
              0x0137302e
              0x01373034
              0x0137303a
              0x0137303c
              0x0137303d
              0x01373042
              0x0137304a
              0x01373050
              0x013730d9
              0x013730dc
              0x00000000
              0x013730dc
              0x01373056
              0x0137305c
              0x0137305f
              0x00000000
              0x00000000
              0x01373061
              0x01373064
              0x00000000
              0x00000000
              0x01373066
              0x01373069
              0x013730ab
              0x013730b2
              0x013730b9
              0x013730be
              0x013730c2
              0x00000000
              0x00000000
              0x013730cb
              0x013730d0
              0x00000000
              0x013730d0
              0x0137306b
              0x01373072
              0x00000000
              0x00000000
              0x0137307f
              0x0137307f
              0x01373082
              0x01373088
              0x0137308b
              0x0137308f
              0x01373091
              0x01373098
              0x0137309c
              0x0137309f
              0x013730a2
              0x013730a2
              0x013730a2
              0x013730a7
              0x013730a9
              0x00000000
              0x00000000
              0x00000000
              0x013730a9
              0x01373001
              0x01373003
              0x0137300a
              0x00000000
              0x00000000
              0x00000000
              0x0137300a
              0x01372865
              0x01372f4e
              0x01372f4e
              0x01372f58
              0x01372f66
              0x01372f6c
              0x01372f6c
              0x00000000
              0x01372f58
              0x0137286b
              0x0137286e
              0x01372902
              0x0137290a
              0x01372919
              0x0137291d
              0x01372920
              0x01372927
              0x01372930
              0x01372932
              0x01372936
              0x0137293c
              0x01372941
              0x0137294d
              0x0137295a
              0x01372967
              0x0137296d
              0x01372970
              0x0137297d
              0x0137297d
              0x0137297d
              0x0137297f
              0x01372981
              0x01372981
              0x01372987
              0x0137298a
              0x01372996
              0x01372996
              0x01372998
              0x01372998
              0x013729a3
              0x013729a5
              0x013729aa
              0x013729b0
              0x013729b6
              0x013729bf
              0x013729cf
              0x013729cf
              0x013729b8
              0x013729b8
              0x013729ba
              0x013729ba
              0x013729d1
              0x013729e7
              0x013729ed
              0x013729fb
              0x01372a06
              0x01372a11
              0x01372a14
              0x01372a26
              0x01372a34
              0x01372a3f
              0x01372a4f
              0x01372a5d
              0x01372a60
              0x01372a65
              0x01372a68
              0x01372a6b
              0x01372a6e
              0x01372a71
              0x01372a73
              0x01372a75
              0x01372a77
              0x01372a77
              0x01372a75
              0x01372a80
              0x01372a86
              0x01372a8c
              0x01372ad1
              0x01372ad1
              0x01372ad4
              0x01372ade
              0x01372ae0
              0x01372af2
              0x01372af2
              0x01372afc
              0x01372afc
              0x01372b02
              0x01372b04
              0x01372b0e
              0x01372b13
              0x01372b15
              0x01372b17
              0x01372b21
              0x01372b21
              0x01372b13
              0x01372b28
              0x01372b2b
              0x01372b37
              0x01372b37
              0x00000000
              0x01372b2d
              0x01372b2d
              0x01372b30
              0x00000000
              0x00000000
              0x01372b34
              0x01372b39
              0x01372b39
              0x01372b45
              0x01372b45
              0x01372b47
              0x01372b4d
              0x01372b7b
              0x01372b7f
              0x01372b81
              0x01372b83
              0x01372b83
              0x01372b83
              0x01372b86
              0x01372b86
              0x01372b91
              0x01372b97
              0x01372b9e
              0x01372ba4
              0x01372ba6
              0x01372bac
              0x01372bb3
              0x01372bb9
              0x01372bc0
              0x01372bc6
              0x01372bc6
              0x01372bcc
              0x01372bcf
              0x01372bd4
              0x01372bd7
              0x01372bd9
              0x01372bdb
              0x01372bdd
              0x01372bdd
              0x01372beb
              0x01372bf0
              0x01372bf2
              0x01372bf6
              0x01372bfd
              0x01372c7e
              0x01372c88
              0x01372c93
              0x01372c96
              0x01372c9d
              0x01372c9f
              0x01372c9f
              0x01372c9f
              0x01372ca2
              0x01372ca4
              0x01372da6
              0x01372caa
              0x01372cb3
              0x01372cb6
              0x01372cc5
              0x01372ccf
              0x01372cd3
              0x01372cda
              0x01372cdc
              0x01372ce2
              0x01372ce9
              0x01372cf2
              0x01372cf8
              0x01372cf9
              0x01372d05
              0x01372d09
              0x01372d0f
              0x01372d11
              0x01372d19
              0x01372d1f
              0x01372d21
              0x01372d2b
              0x01372d2d
              0x01372d38
              0x01372d40
              0x01372d5d
              0x01372d6d
              0x01372d73
              0x01372d76
              0x01372d81
              0x01372d89
              0x01372d8e
              0x01372d91
              0x01372d94
              0x01372d97
              0x01372d99
              0x01372d9b
              0x01372d9e
              0x01372d9e
              0x01372d99
              0x01372ce9
              0x01372cdc
              0x01372daf
              0x01372db6
              0x01372db8
              0x01372dba
              0x01372dba
              0x01372bff
              0x01372c01
              0x01372c04
              0x01372c07
              0x01372c0e
              0x01372c13
              0x01372c1f
              0x01372c24
              0x01372c27
              0x01372c29
              0x01372c2b
              0x01372c3e
              0x01372c48
              0x01372c48
              0x01372c4d
              0x01372c4d
              0x01372c4d
              0x01372c4f
              0x01372c52
              0x01372c54
              0x01372c56
              0x01372c5b
              0x01372c62
              0x01372c63
              0x01372c63
              0x01372c6b
              0x01372c6b
              0x01372dc1
              0x01372dc8
              0x01372dd6
              0x01372dd6
              0x01372de4
              0x01372de9
              0x01372df0
              0x01372ed4
              0x01372ef5
              0x01372efe
              0x01372f0a
              0x01372f10
              0x01372f18
              0x01372f1a
              0x01372f27
              0x01372f2e
              0x01372f33
              0x01372f37
              0x01372f44
              0x01372f44
              0x01372f37
              0x00000000
              0x01372df6
              0x01372df9
              0x01372e07
              0x01372e10
              0x01372e19
              0x01372e1c
              0x01372e1e
              0x01372e20
              0x01372e23
              0x01372e25
              0x01372e28
              0x01372e2b
              0x01372e2d
              0x01372e35
              0x01372e37
              0x01372e3a
              0x00000000
              0x00000000
              0x01372e40
              0x01372e45
              0x00000000
              0x00000000
              0x01372e47
              0x01372e49
              0x01372e58
              0x01372e58
              0x01372e65
              0x01372e6a
              0x01372e6d
              0x01372e6f
              0x01372e6f
              0x01372e6f
              0x01372e6f
              0x01372e72
              0x01372e74
              0x01372e77
              0x01372e77
              0x01372e7a
              0x01372eab
              0x01372eab
              0x01372eab
              0x01372eb2
              0x01372eb9
              0x01372ebe
              0x01372e7c
              0x01372e7e
              0x01372e81
              0x01372e81
              0x01372e84
              0x01372e87
              0x01372e89
              0x01372e96
              0x01372e98
              0x01372e9e
              0x01372ea0
              0x01372ea3
              0x01372ea3
              0x01372ea3
              0x01372ea8
              0x00000000
              0x01372ea8
              0x01372ec1
              0x01372ec1
              0x01372ec2
              0x01372ec5
              0x01372ec5
              0x01372ece
              0x01372ed1
              0x00000000
              0x01372ed1
              0x01372df0
              0x01372b5a
              0x01372b5c
              0x01372b61
              0x01372b65
              0x01372b67
              0x01372b75
              0x01372b77
              0x00000000
              0x01372b77
              0x01372b69
              0x01372b6c
              0x00000000
              0x00000000
              0x01372b70
              0x00000000
              0x01372b71
              0x01372b2b
              0x01372ae2
              0x01372ae4
              0x00000000
              0x00000000
              0x01372ae6
              0x01372ae8
              0x01372aea
              0x01372aea
              0x00000000
              0x01372a8e
              0x01372a8e
              0x01372a8e
              0x01372a91
              0x01372ac7
              0x00000000
              0x01372ac7
              0x01372a94
              0x01372a94
              0x01372a97
              0x01372abb
              0x00000000
              0x01372abb
              0x01372a99
              0x01372a99
              0x01372a9c
              0x01372aaf
              0x01372aaf
              0x00000000
              0x01372aaf
              0x01372a9e
              0x01372aa1
              0x00000000
              0x00000000
              0x01372aa3
              0x00000000
              0x01372aa3
              0x01372a8c
              0x0137298c
              0x0137298f
              0x00000000
              0x00000000
              0x01372993
              0x00000000
              0x01372993
              0x01372972
              0x01372975
              0x00000000
              0x01372977
              0x01372977
              0x01372979
              0x00000000
              0x01372979
              0x01372975
              0x01372874
              0x01372877
              0x00000000
              0x0137287d
              0x01372889
              0x01372891
              0x01372899
              0x013728a8
              0x013728b0
              0x013728b3
              0x013728b9
              0x013728bf
              0x013728c5
              0x013728c7
              0x013728d1
              0x013728d1
              0x013728d7
              0x013728de
              0x013728ec
              0x013728ef
              0x013728f5
              0x013728f5
              0x00000000
              0x013728de
              0x01372877
              0x01372814
              0x0137281b
              0x00000000
              0x00000000
              0x00000000
              0x0137281b
              0x0137280b
              0x0137280b
              0x00000000
              0x013727ac
              0x013727ae
              0x013730df
              0x013730e2
              0x013730f0
              0x013730fb
              0x013730fb
              0x013727aa
              0x01372746
              0x01372748
              0x00000000
              0x01372748
              0x013726d6
              0x013726d8
              0x013726da
              0x013726e0
              0x00000000
              0x013726ec
              0x013726ee
              0x013726f2
              0x013726fc
              0x013726fe
              0x01372707
              0x00000000
              0x01372709
              0x01372719
              0x0137272a
              0x0137272f
              0x00000000
              0x0137272f
              0x01372707

              APIs
              • __EH_prolog.LIBCMT ref: 0137269B
              • _strlen.LIBCMT ref: 01372C1F
                • Part of subcall function 01380FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0137B312,00000000,?,?,?,00160024), ref: 01380FFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01372D76
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
              • String ID: CMT
              • API String ID: 1706572503-2756464174
              • Opcode ID: d6f8058f0372777d57c207fd5ba3fe7c3c8baac4264fe5587e0378b9c102ba87
              • Instruction ID: 4972fd04a71427a8ed93347068c96077f76dc871f75e6c4c73de95b50181531e
              • Opcode Fuzzy Hash: d6f8058f0372777d57c207fd5ba3fe7c3c8baac4264fe5587e0378b9c102ba87
              • Instruction Fuzzy Hash: EF6206715002858FDF39DF78C8956EA3BE1EF64308F08457EED9A9B282DB789944CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01397BE1, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E01397BE1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x13ad668; // 0x5221689b
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0138E690(_t41);
					_pop(_t61);
				}
				E0138E920(_t66,  &_v804, 0, 0x50);
				E0138E920(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0138E690(_t57);
				}
				return E0138E203(_t57, _v8 ^ _t69);
			}





































              0x01397be1
              0x01397be1
              0x01397be1
              0x01397be1
              0x01397bec
              0x01397bf1
              0x01397bf3
              0x01397bfb
              0x01397bfd
              0x01397c00
              0x01397c05
              0x01397c05
              0x01397c11
              0x01397c24
              0x01397c32
              0x01397c38
              0x01397c3e
              0x01397c44
              0x01397c4a
              0x01397c50
              0x01397c56
              0x01397c5c
              0x01397c62
              0x01397c68
              0x01397c6f
              0x01397c76
              0x01397c7d
              0x01397c84
              0x01397c8b
              0x01397c92
              0x01397c93
              0x01397c9c
              0x01397ca2
              0x01397ca2
              0x01397ca5
              0x01397cab
              0x01397cb8
              0x01397cc1
              0x01397cca
              0x01397cd3
              0x01397ce1
              0x01397ce3
              0x01397ce9
              0x01397cf8
              0x01397d04
              0x01397d07
              0x01397d0c
              0x01397d1b

              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01397CD9
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 01397CE3
              • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 01397CF0
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: c08e64fd6a0a49ec8fdf2a90631eaaed8ba1604a88deeb142e07127c1c0fbd75
              • Instruction ID: 3a63803e59e750faedd5a7d19e2c947bb752b9d49faea001a1e3c0a796a7a3d4
              • Opcode Fuzzy Hash: c08e64fd6a0a49ec8fdf2a90631eaaed8ba1604a88deeb142e07127c1c0fbd75
              • Instruction Fuzzy Hash: E231C57591131D9BCF61EF68D888B9DBBB8BF08314F5041EAE41CA7290E7749B818F44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399FD3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E01399FD3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				intOrPtr _t101;
				signed int _t104;
				union _FINDEX_INFO_LEVELS _t105;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t104 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t104) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t104 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t110 = E01397B1B(_t84, _t77, 1);
					_pop(_t86);
					__eflags = _t104;
					if(_t104 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t104;
						_t40 = E0139DD71(_t86, _t110 + _t104, _t77, _a4);
						_t119 = _t118 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E0139A212(_a16, _t100, __eflags, _t110);
							E01397A50(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t104);
						_t74 = E0139DD71(_t86, _t110, _t77, _a8);
						_t119 = _t118 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E01397DBB();
							asm("int3");
							_t117 = _t119;
							_t120 = _t119 - 0x150;
							_t43 =  *0x13ad668; // 0x5221689b
							_v48 = _t43 ^ _t117;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t110);
							_t111 = _v332.cAlternateFileName;
							_push(_t104);
							_v372 = _t111;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E0139DDC0(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t105 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E0138E920(_t105,  &_v332, _t105, 0x140);
								_t121 = _t120 + 0xc;
								_t112 = FindFirstFileExA(_t78, _t105,  &_v332, _t105, _t105, _t105);
								_t55 = _v336;
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E01399FD3(_t78, _t92, _t105, _t112,  &(_v332.cFileName), _t78, _v340);
											_t121 = _t121 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t112,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t102 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E01395030(_t78, _t105, _t112, _t102 + _t95 * 4, _t65 - _t95, 4, E01399E2B);
									}
								} else {
									_push(_t55);
									_t57 = E01399FD3(_t78, _t89, _t105, _t112, _t78, _t105, _t105);
									L26:
									_t105 = _t57;
								}
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									FindClose(_t112);
								}
								_t58 = _t105;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t111);
									_t58 = E01399FD3(_t78, _t87, 0, _t111, _t78, 0, 0);
								}
							}
							__eflags = _v12 ^ _t117;
							return E0138E203(_t58, _v12 ^ _t117);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}
















































              0x01399fd8
              0x01399fd9
              0x01399fdc
              0x01399fdc
              0x01399fdf
              0x01399fdf
              0x01399fe1
              0x01399fe2
              0x01399feb
              0x01399fec
              0x01399fef
              0x01399ff2
              0x01399ff7
              0x01399ffe
              0x01399fff
              0x0139a000
              0x0139a003
              0x0139a00d
              0x0139a010
              0x0139a011
              0x0139a013
              0x0139a027
              0x0139a027
              0x0139a02a
              0x0139a034
              0x0139a039
              0x0139a03c
              0x0139a03e
              0x00000000
              0x0139a040
              0x0139a044
              0x0139a04d
              0x0139a053
              0x00000000
              0x0139a056
              0x0139a015
              0x0139a015
              0x0139a01b
              0x0139a020
              0x0139a023
              0x0139a025
              0x0139a05c
              0x0139a05e
              0x0139a05f
              0x0139a060
              0x0139a061
              0x0139a062
              0x0139a063
              0x0139a068
              0x0139a06c
              0x0139a06e
              0x0139a074
              0x0139a07b
              0x0139a07e
              0x0139a081
              0x0139a082
              0x0139a085
              0x0139a086
              0x0139a089
              0x0139a08a
              0x0139a0ab
              0x0139a0ab
              0x0139a0ad
              0x00000000
              0x00000000
              0x0139a092
              0x0139a094
              0x0139a096
              0x0139a098
              0x0139a09a
              0x0139a09c
              0x0139a09e
              0x0139a0a9
              0x00000000
              0x0139a0a9
              0x0139a09e
              0x0139a09a
              0x00000000
              0x0139a096
              0x0139a0af
              0x0139a0b1
              0x0139a0b4
              0x0139a0cd
              0x0139a0cd
              0x0139a0cf
              0x0139a0d2
              0x0139a0e2
              0x0139a0e4
              0x0139a0e4
              0x0139a0d4
              0x0139a0d4
              0x0139a0d7
              0x00000000
              0x0139a0d9
              0x0139a0d9
              0x0139a0dc
              0x00000000
              0x0139a0de
              0x0139a0de
              0x0139a0de
              0x0139a0dc
              0x0139a0d7
              0x0139a0ea
              0x0139a0f2
              0x0139a0f6
              0x0139a104
              0x0139a109
              0x0139a11e
              0x0139a120
              0x0139a126
              0x0139a129
              0x0139a15b
              0x0139a15b
              0x0139a15d
              0x0139a160
              0x0139a166
              0x0139a166
              0x0139a16d
              0x0139a187
              0x0139a187
              0x0139a196
              0x0139a19b
              0x0139a19e
              0x0139a1a0
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139a16f
              0x0139a16f
              0x0139a175
              0x0139a177
              0x00000000
              0x0139a179
              0x0139a179
              0x0139a17c
              0x00000000
              0x0139a17e
              0x0139a17e
              0x0139a185
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139a185
              0x0139a17c
              0x0139a177
              0x00000000
              0x0139a1a2
              0x0139a1aa
              0x0139a1b0
              0x0139a1b2
              0x0139a1b2
              0x0139a1ba
              0x0139a1bf
              0x0139a1c7
              0x0139a1ca
              0x0139a1cc
              0x0139a1e0
              0x0139a1e5
              0x0139a12b
              0x0139a12b
              0x0139a12f
              0x0139a137
              0x0139a137
              0x0139a137
              0x0139a139
              0x0139a13c
              0x0139a13f
              0x0139a13f
              0x0139a145
              0x0139a0b6
              0x0139a0b9
              0x0139a0bb
              0x00000000
              0x0139a0bd
              0x0139a0bd
              0x0139a0c3
              0x0139a0c8
              0x0139a0bb
              0x0139a14c
              0x0139a157
              0x00000000
              0x00000000
              0x00000000
              0x0139a025
              0x01399ff9
              0x01399ffb
              0x0139a057
              0x0139a05b
              0x0139a05b
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: .
              • API String ID: 0-248832578
              • Opcode ID: fd2de4ad728f72ffc74ea829bfe5193db123eea72fe2012ad450da7cf073b724
              • Instruction ID: c35a993bd6adf65f53d56e414adc32a88d21b2deb001de2de425926cc014887b
              • Opcode Fuzzy Hash: fd2de4ad728f72ffc74ea829bfe5193db123eea72fe2012ad450da7cf073b724
              • Instruction Fuzzy Hash: BD31E5B29002496FDF258E7CCC84EFB7BBDDB85318F1402A8E91997251E6309D458B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139C0B0, Relevance: 3.5, APIs: 2, Instructions: 464COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 90%
              			E0139C0B0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0138DDA0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E013A0DE0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0138DDC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0138DDC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x139d6cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E013A0DE0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0139AA64(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0139AA64(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0139AA64(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































              0x0139c0bc
              0x0139c0bf
              0x0139c0c3
              0x0139c0cd
              0x0139c0d0
              0x0139c0d2
              0x0139c0d4
              0x0139c0e1
              0x0139c0e1
              0x0139c0e4
              0x0139c0e4
              0x0139c0e7
              0x0139c0ea
              0x0139c0ec
              0x0139c21f
              0x0139c221
              0x0139c26a
              0x0139c26e
              0x0139c274
              0x0139c223
              0x0139c225
              0x0139c228
              0x0139c22a
              0x0139c22d
              0x0139c22f
              0x0139c231
              0x0139c265
              0x0139c265
              0x0139c265
              0x0139c233
              0x0139c238
              0x0139c23e
              0x0139c23e
              0x0139c241
              0x0139c243
              0x0139c245
              0x00000000
              0x00000000
              0x0139c247
              0x0139c248
              0x0139c24b
              0x0139c24e
              0x0139c250
              0x00000000
              0x0139c252
              0x00000000
              0x0139c252
              0x00000000
              0x0139c250
              0x0139c254
              0x0139c25b
              0x0139c25f
              0x0139c263
              0x00000000
              0x00000000
              0x0139c263
              0x0139c266
              0x0139c266
              0x0139c268
              0x0139c275
              0x0139c278
              0x0139c27b
              0x0139c27e
              0x0139c27e
              0x0139c282
              0x0139c285
              0x0139c288
              0x0139c28b
              0x0139c296
              0x0139c28d
              0x0139c292
              0x0139c292
              0x0139c2a0
              0x0139c2a5
              0x0139c2a8
              0x0139c2aa
              0x0139c2b4
              0x0139c2b7
              0x0139c2be
              0x0139c2c1
              0x0139c2c4
              0x0139c2cc
              0x0139c2d2
              0x0139c2d2
              0x0139c2d2
              0x0139c2d2
              0x0139c2c4
              0x0139c2d7
              0x0139c2de
              0x0139c2de
              0x0139c2e1
              0x0139c2e4
              0x0139c516
              0x0139c516
              0x0139c2ea
              0x0139c2ea
              0x0139c2f0
              0x0139c2f3
              0x0139c2f6
              0x0139c2f9
              0x0139c2fc
              0x0139c2ff
              0x0139c302
              0x0139c302
              0x0139c305
              0x0139c30c
              0x0139c30c
              0x0139c307
              0x0139c307
              0x0139c307
              0x0139c30e
              0x0139c312
              0x0139c315
              0x0139c317
              0x0139c31a
              0x0139c321
              0x0139c324
              0x0139c327
              0x0139c332
              0x0139c335
              0x0139c33a
              0x0139c33f
              0x0139c346
              0x0139c34b
              0x0139c34d
              0x0139c34f
              0x0139c353
              0x0139c356
              0x0139c359
              0x0139c361
              0x0139c36a
              0x0139c36a
              0x0139c36c
              0x0139c36f
              0x0139c36f
              0x0139c359
              0x0139c379
              0x0139c37e
              0x0139c383
              0x0139c385
              0x0139c388
              0x0139c38a
              0x0139c38d
              0x0139c390
              0x0139c392
              0x0139c395
              0x0139c398
              0x0139c39a
              0x0139c3a1
              0x0139c3a6
              0x0139c3a9
              0x0139c3b3
              0x0139c3b5
              0x0139c3b7
              0x0139c3ba
              0x0139c3ba
              0x0139c3bc
              0x0139c3bf
              0x0139c3c2
              0x0139c3c5
              0x0139c3c8
              0x0139c39c
              0x0139c39c
              0x0139c39f
              0x00000000
              0x00000000
              0x0139c39f
              0x0139c3cb
              0x0139c3cd
              0x0139c3cf
              0x00000000
              0x0139c3d1
              0x0139c3d1
              0x0139c3d4
              0x0139c3d6
              0x0139c3d6
              0x0139c3e4
              0x0139c3e7
              0x0139c3ec
              0x0139c3ee
              0x00000000
              0x00000000
              0x0139c3f0
              0x0139c3f7
              0x0139c3f7
              0x0139c3fa
              0x0139c3fd
              0x0139c400
              0x0139c403
              0x0139c403
              0x0139c406
              0x0139c409
              0x0139c40d
              0x0139c410
              0x0139c412
              0x0139c415
              0x00000000
              0x00000000
              0x0139c417
              0x0139c415
              0x0139c3f2
              0x0139c3f2
              0x0139c3f5
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139c3f5
              0x0139c41c
              0x0139c41c
              0x00000000
              0x0139c41c
              0x0139c419
              0x00000000
              0x0139c419
              0x0139c3d4
              0x0139c3cf
              0x0139c41f
              0x0139c41f
              0x0139c421
              0x0139c42b
              0x0139c42b
              0x0139c42e
              0x0139c430
              0x0139c432
              0x0139c434
              0x0139c439
              0x0139c43c
              0x0139c43c
              0x0139c43f
              0x0139c442
              0x0139c445
              0x0139c447
              0x0139c45c
              0x0139c45e
              0x0139c460
              0x0139c462
              0x0139c464
              0x0139c466
              0x0139c468
              0x0139c46a
              0x0139c46d
              0x0139c46d
              0x0139c471
              0x0139c473
              0x0139c479
              0x0139c47c
              0x0139c47c
              0x0139c47c
              0x0139c480
              0x0139c480
              0x0139c485
              0x0139c488
              0x0139c488
              0x0139c48d
              0x0139c48f
              0x0139c491
              0x0139c498
              0x0139c498
              0x0139c49a
              0x0139c49f
              0x0139c4a1
              0x0139c4a4
              0x0139c4a4
              0x0139c4a7
              0x0139c4b0
              0x0139c4b0
              0x0139c4b2
              0x0139c4b2
              0x0139c4b7
              0x0139c4bd
              0x0139c4c1
              0x0139c4c4
              0x0139c4c7
              0x0139c4c9
              0x0139c4c9
              0x0139c4c9
              0x0139c4ce
              0x0139c4ce
              0x0139c4d1
              0x0139c4d4
              0x0139c493
              0x0139c493
              0x0139c496
              0x00000000
              0x00000000
              0x0139c496
              0x0139c491
              0x0139c4db
              0x0139c4db
              0x0139c4dc
              0x0139c423
              0x0139c423
              0x0139c425
              0x00000000
              0x00000000
              0x0139c425
              0x0139c4ec
              0x0139c4f1
              0x0139c4f4
              0x0139c4f8
              0x0139c4f9
              0x0139c4fc
              0x0139c4ff
              0x0139c500
              0x0139c503
              0x0139c506
              0x0139c509
              0x0139c50c
              0x0139c50c
              0x0139c514
              0x0139c51b
              0x0139c51c
              0x0139c51e
              0x0139c520
              0x0139c522
              0x0139c525
              0x0139c530
              0x0139c530
              0x0139c536
              0x0139c536
              0x0139c539
              0x0139c53a
              0x0139c53a
              0x0139c530
              0x0139c53e
              0x0139c540
              0x0139c542
              0x0139c544
              0x0139c544
              0x0139c546
              0x0139c54a
              0x00000000
              0x00000000
              0x0139c54c
              0x0139c54c
              0x0139c54f
              0x0139c551
              0x00000000
              0x00000000
              0x00000000
              0x0139c551
              0x0139c544
              0x0139c553
              0x0139c55d
              0x00000000
              0x00000000
              0x00000000
              0x0139c268
              0x0139c0f2
              0x0139c0f2
              0x0139c0f2
              0x0139c0f5
              0x0139c0f8
              0x0139c0fb
              0x0139c12c
              0x0139c12e
              0x0139c179
              0x0139c17b
              0x0139c182
              0x0139c189
              0x0139c18c
              0x0139c18f
              0x0139c195
              0x0139c195
              0x0139c196
              0x0139c199
              0x0139c1a0
              0x0139c1a9
              0x0139c1ae
              0x0139c1b1
              0x0139c1b6
              0x0139c1b9
              0x0139c1bb
              0x0139c1c0
              0x0139c1c3
              0x0139c1c6
              0x0139c1c6
              0x0139c1c6
              0x0139c1ca
              0x0139c1cd
              0x0139c1cd
              0x0139c1d2
              0x0139c1d2
              0x0139c1dd
              0x0139c1e8
              0x0139c1e8
              0x0139c1eb
              0x0139c1f7
              0x0139c1fc
              0x0139c207
              0x0139c209
              0x0139c20b
              0x0139c211
              0x0139c216
              0x0139c218
              0x0139c21e
              0x0139c130
              0x0139c13c
              0x0139c13c
              0x0139c13f
              0x0139c14f
              0x0139c155
              0x0139c15c
              0x0139c15e
              0x0139c166
              0x0139c168
              0x0139c16a
              0x0139c16f
              0x0139c172
              0x0139c178
              0x0139c178
              0x0139c0fd
              0x0139c100
              0x0139c104
              0x0139c10a
              0x0139c119
              0x0139c123
              0x0139c12b
              0x0139c12b
              0x0139c0fb
              0x0139c0d6
              0x0139c0d9
              0x0139c0df
              0x0139c0df
              0x0139c0c5
              0x0139c0cb
              0x0139c0cb

              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
              • Instruction ID: af85b20d19675134dc51959697fe590ae4421a2569bbaf41e9459eb989d36e02
              • Opcode Fuzzy Hash: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
              • Instruction Fuzzy Hash: BF021D71E002199BDF15CFADC9906AEBBF1FF48318F15816AD919E7381D731AA41CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389D99, Relevance: 3.0, APIs: 2, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01389D99(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x13ad610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x13cde30 = _v304;
					 *0x13cde32 = 0;
					 *0x13ad610 = 0x13cde30;
				}
				E0137F980(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x13ad600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}







              0x01389db1
              0x01389dbf
              0x01389dcc
              0x01389dd4
              0x01389dda
              0x01389dda
              0x01389df0
              0x01389df5
              0x01389dfa
              0x01389e04
              0x01389e0e
              0x01389e16
              0x01389e21

              APIs
              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 01389DBF
              • GetNumberFormatW.KERNEL32 ref: 01389E0E
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FormatInfoLocaleNumber
              • String ID:
              • API String ID: 2169056816-0
              • Opcode ID: c60d3cd516cbb60e01f155302889310e3a1eda42ea095fd32c1d445def322da1
              • Instruction ID: 60ceaaa4eb1cec7abd0447db237fa172a5f793084b61ab5b44d9621ec5e5724b
              • Opcode Fuzzy Hash: c60d3cd516cbb60e01f155302889310e3a1eda42ea095fd32c1d445def322da1
              • Instruction Fuzzy Hash: 68017C39140308BEDB209FB4EC45FABB7BCEF49724F805426FA0897150D370A9248BE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01376D06, Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E01376D06(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}





              0x01376d06
              0x01376d0e
              0x00000000
              0x01376d35
              0x01376d27
              0x01376d2f
              0x00000000

              APIs
              • GetLastError.KERNEL32(01380DE0,?,00000200), ref: 01376D06
              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 01376D27
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: f50ce65338300d3075b42cc6f65acf270fd7b49a56ca76c68b9a15b2e5bb6c81
              • Instruction ID: c99d472b7bf74322547f008c7a9c9121829d28c694fdb673f0e9fcfc6307e6ba
              • Opcode Fuzzy Hash: f50ce65338300d3075b42cc6f65acf270fd7b49a56ca76c68b9a15b2e5bb6c81
              • Instruction Fuzzy Hash: 8AD0A9B03D8302BEFA300A308C0AF2B3B9AB79AB82F108900B302E80C0C6708014C728
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013A0654, Relevance: 1.8, APIs: 1, Instructions: 269COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E013A0654(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0139DFB6(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0139DF1C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























              0x013a0662
              0x013a0669
              0x013a066e
              0x013a0674
              0x013a0677
              0x013a067d
              0x013a0682
              0x013a0687
              0x013a0687
              0x013a068d
              0x013a0692
              0x013a0697
              0x013a0697
              0x013a069e
              0x013a06a3
              0x013a06a8
              0x013a06a8
              0x013a06af
              0x013a06b4
              0x013a06b9
              0x013a06b9
              0x013a06c0
              0x013a06c5
              0x013a06ca
              0x013a06ca
              0x013a06d2
              0x013a06e2
              0x013a06f4
              0x013a0706
              0x013a0719
              0x013a072b
              0x013a0733
              0x013a0738
              0x013a073d
              0x013a073d
              0x013a0744
              0x013a0749
              0x013a0749
              0x013a0750
              0x013a0755
              0x013a0755
              0x013a075c
              0x013a0761
              0x013a0761
              0x013a0768
              0x013a076d
              0x013a076d
              0x013a0777
              0x013a0779
              0x013a07b3
              0x013a077b
              0x013a0780
              0x013a07a4
              0x013a07ac
              0x013a07a0
              0x013a07a0
              0x013a07b6
              0x013a07bd
              0x013a07bf
              0x013a07e1
              0x013a07e9
              0x013a07ec
              0x013a07ec
              0x013a07ee
              0x013a07ee
              0x013a07f9
              0x013a07ff
              0x013a0804
              0x013a080b
              0x013a0845
              0x013a0850
              0x013a0856
              0x013a0859
              0x013a085c
              0x013a0868
              0x013a0870
              0x013a080d
              0x013a0810
              0x013a081c
              0x013a0822
              0x013a0828
              0x013a082b
              0x013a0834
              0x013a0834
              0x013a0873
              0x013a0881
              0x013a0887
              0x013a088e
              0x013a0890
              0x013a0890
              0x013a0897
              0x013a0899
              0x013a0899
              0x013a08a0
              0x013a08a2
              0x013a08a2
              0x013a08a9
              0x013a08ab
              0x013a08ab
              0x013a08b2
              0x013a08b4
              0x013a08b4
              0x013a08c1
              0x013a08c4
              0x013a08fb
              0x013a08c6
              0x013a08c6
              0x013a08c9
              0x013a08f4
              0x013a08e9
              0x013a08e9
              0x013a08fd
              0x013a0905
              0x013a0908
              0x013a0927
              0x013a092c
              0x013a092c
              0x013a092e
              0x013a0933
              0x013a093f
              0x013a0935
              0x013a0938
              0x013a0938
              0x013a0944
              0x013a0944
              0x013a090a
              0x013a090d
              0x013a091c
              0x00000000
              0x013a091c
              0x013a090f
              0x013a0912
              0x013a0914
              0x013a0914
              0x00000000
              0x013a0912
              0x013a08cb
              0x013a08ce
              0x013a08e4
              0x00000000
              0x013a08e4
              0x013a08d3
              0x013a08d5
              0x013a08d5
              0x013a08d3
              0x00000000
              0x013a08c4
              0x013a07c6
              0x013a07d4
              0x013a07dc
              0x00000000
              0x013a07dc
              0x013a07ca
              0x013a07cf
              0x013a07cf
              0x00000000
              0x013a07ca
              0x013a0787
              0x013a0795
              0x013a079d
              0x00000000
              0x013a079d
              0x013a078b
              0x013a0790
              0x013a0790
              0x013a078b

              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,013A064F,?,?,00000008,?,?,013A02EF,00000000), ref: 013A0881
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: 2ea3b56d01c35c70787176153909a1b673c02c3f233112e0fb0597e140ab5022
              • Instruction ID: 6dcbf0eacf57d4ca972c7cb492724fda7f6a9da02b721239c2dcfb208b889ec3
              • Opcode Fuzzy Hash: 2ea3b56d01c35c70787176153909a1b673c02c3f233112e0fb0597e140ab5022
              • Instruction Fuzzy Hash: 11B128356106099FE719CF2CC48AB657FA0FF45368F658658F99ACF2A1C336E981CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01373EAD, Relevance: 1.6, Strings: 1, Instructions: 332COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 81%
              			E01373EAD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x13a23b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x13a23b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x13a23b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x13a23b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x13a23b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x13a23b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x13a23b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x13a23b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x13a23b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x13a23b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x13a23ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x13a23bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x13a23bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x13a23bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x13a23be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x13a23bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

























































































              0x01373eb3
              0x01373ecd
              0x01373ed5
              0x01373edd
              0x01373edd
              0x01373ee9
              0x01373eec
              0x01373eec
              0x01373ef8
              0x01373efe
              0x01373f04
              0x01373f0a
              0x01373f0e
              0x01373f17
              0x01373f20
              0x01373f26
              0x01373f2f
              0x01373f39
              0x01373f41
              0x01373f49
              0x01373f51
              0x01373f59
              0x01373f61
              0x01373f65
              0x01373f69
              0x01373f6d
              0x01373f71
              0x01373f75
              0x01373f7d
              0x01373f81
              0x01373f85
              0x01373f85
              0x01373f99
              0x01373f9f
              0x01373fa3
              0x01373fa9
              0x01373fac
              0x01373fae
              0x01373fb0
              0x01373fb4
              0x01373fb8
              0x01373fbb
              0x01373fbf
              0x01373fd3
              0x01373fd9
              0x01373fdd
              0x01373fe3
              0x01373fe6
              0x01373fea
              0x01373fee
              0x01373ff1
              0x01373ffd
              0x0137400f
              0x01374015
              0x01374019
              0x0137401f
              0x01374022
              0x01374024
              0x01374026
              0x0137402a
              0x0137402e
              0x01374031
              0x01374035
              0x01374049
              0x0137404f
              0x01374053
              0x01374059
              0x0137405c
              0x01374060
              0x01374064
              0x01374067
              0x0137406f
              0x01374083
              0x0137408b
              0x01374091
              0x01374094
              0x01374096
              0x01374098
              0x0137409c
              0x013740a0
              0x013740a3
              0x013740b3
              0x013740b9
              0x013740bd
              0x013740c3
              0x013740c6
              0x013740ca
              0x013740ce
              0x013740d1
              0x013740d5
              0x013740d9
              0x013740eb
              0x013740f1
              0x013740f5
              0x013740fb
              0x013740fe
              0x01374100
              0x01374102
              0x01374106
              0x01374111
              0x0137411d
              0x01374123
              0x01374127
              0x0137412d
              0x01374130
              0x01374134
              0x01374138
              0x0137413b
              0x0137413f
              0x01374143
              0x01374155
              0x0137415b
              0x0137415f
              0x01374165
              0x01374168
              0x0137416a
              0x0137416c
              0x01374170
              0x0137417b
              0x01374187
              0x0137418d
              0x01374191
              0x01374195
              0x0137419b
              0x0137419e
              0x013741a0
              0x013741a2
              0x013741a6
              0x013741aa
              0x013741ae
              0x013741b1
              0x013741b5
              0x013741b9
              0x013741c0
              0x013741cd
              0x013741cf
              0x013741d3
              0x013741dd
              0x013741e0
              0x013741e2
              0x013741e4
              0x013741e8
              0x013741ec
              0x013741ef
              0x013741ff
              0x01374205
              0x01374209
              0x0137420d
              0x01374213
              0x01374216
              0x01374218
              0x0137421a
              0x0137421e
              0x01374222
              0x01374226
              0x01374229
              0x0137422d
              0x01374231
              0x01374238
              0x01374245
              0x0137424b
              0x0137424f
              0x01374255
              0x01374258
              0x0137425a
              0x0137425c
              0x01374260
              0x01374264
              0x01374267
              0x01374277
              0x0137427d
              0x01374281
              0x01374285
              0x0137428b
              0x0137428e
              0x01374290
              0x01374292
              0x01374296
              0x01374299
              0x0137429d
              0x013742a1
              0x013742a5
              0x013742a9
              0x013742bb
              0x013742c1
              0x013742c5
              0x013742cb
              0x013742ce
              0x013742d0
              0x013742d2
              0x013742d6
              0x013742e1
              0x013742ed
              0x013742ef
              0x013742f3
              0x013742f7
              0x013742f9
              0x01374300
              0x01374302
              0x01374304
              0x01374308
              0x01374310
              0x01374313
              0x01374316
              0x0137431a
              0x0137431e
              0x01374322
              0x01374326
              0x0137432a
              0x01374335
              0x0137433c
              0x01374343
              0x0137434a
              0x0137434e
              0x01374352
              0x01374359
              0x01374359
              0x01374366
              0x0137436a
              0x0137436d
              0x01374370
              0x0137437f

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: gj
              • API String ID: 0-4203073231
              • Opcode ID: 37eb7ac5fa06342b39090bdfe70bf81749be4c7fe71d23d9ac5045294213aecf
              • Instruction ID: 538a0cdc3ecf0e97414f77908bccaa1730ebdd2b8a6396ab18017d77728f2861
              • Opcode Fuzzy Hash: 37eb7ac5fa06342b39090bdfe70bf81749be4c7fe71d23d9ac5045294213aecf
              • Instruction Fuzzy Hash: 70F1D1B2A083418FC348CF29D890A1BFBE1BFC8208F59892EF598D7751D634E9558F56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137A995, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0137A995() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x13ad020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x13b00f0; // 0xa
					_t13 =  *0x13b00f4; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x13ad020 = _t12;
					 *0x13b00f0 = _t6;
					 *0x13b00f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}







              0x0137a998
              0x0137a9a7
              0x0137a9e5
              0x0137a9ea
              0x0137a9a9
              0x0137a9af
              0x0137a9ba
              0x0137a9c0
              0x0137a9c6
              0x0137a9cc
              0x0137a9d2
              0x0137a9d8
              0x0137a9dd
              0x0137a9dd
              0x0137a9f3
              0x00000000
              0x0137a9f5
              0x00000000
              0x0137a9f8

              APIs
              • GetVersionExW.KERNEL32(?), ref: 0137A9BA
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: 469971ed6d2bbac684f9a6a40bc865c93d0fa3d208217033f2eeaf14bffdbeec
              • Instruction ID: b5b756d73c2ddafda8f3fe50d837482c00bf3109f15c2bd1a636d6fa86f3394d
              • Opcode Fuzzy Hash: 469971ed6d2bbac684f9a6a40bc865c93d0fa3d208217033f2eeaf14bffdbeec
              • Instruction Fuzzy Hash: 8CF03AB494020CCBCB3CCB18E982AEA73B9F749314F104299EF1583748F374A9808FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139ACA1, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0139ACA1() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x13d0874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




              0x0139aca1
              0x0139aca9
              0x0139acb1

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: 09e0b64cdf71c286c5114e082450138dd322807e94a512e0a00cc05b7e7714bc
              • Instruction ID: e5c9fb99cd775748098425c166e0b6d096b3ef14475e246b419bc745b510e5a5
              • Opcode Fuzzy Hash: 09e0b64cdf71c286c5114e082450138dd322807e94a512e0a00cc05b7e7714bc
              • Instruction Fuzzy Hash: B1A011302022008BC3208E32A20A20A3AECAA80B80F088028E20AC2008EB3080208B00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138589E, Relevance: .8, Instructions: 800COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 96%
              			E0138589E(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E013847DA(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E013833D3(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E0138397F(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E01384422(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E0137A4ED(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E0137A4ED(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E0137A4ED(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E0138EA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E013820EE();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E0138EA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E01381A0E(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E01383564(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E0137A4ED(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E0137A4ED(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E01387D76(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E0138EA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E01387D76(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E0137A4ED(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E013817A5(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E013847DA(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}









































































































































              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x013858a1
              0x013858a1
              0x013858a7
              0x013858b2
              0x00000000
              0x013858b4
              0x013858b4
              0x013858b4
              0x013858ba
              0x013858ba
              0x013858c3
              0x013858c6
              0x00000000
              0x00000000
              0x013858d5
              0x013858dc
              0x01385e87
              0x01385e89
              0x01385e8e
              0x01385e95
              0x01385e95
              0x013858e2
              0x013858e2
              0x013858e3
              0x013858e6
              0x013858ed
              0x00000000
              0x00000000
              0x013858f3
              0x013858fb
              0x013858fc
              0x013858fd
              0x013858fe
              0x01385905
              0x00000000
              0x01385907
              0x00000000
              0x01385907
              0x01385905
              0x0138590c
              0x0138590e
              0x01385913
              0x01385915
              0x00000000
              0x0138591b
              0x0138591b
              0x0138591b
              0x0138591e
              0x0138591e
              0x0138592e
              0x01385933
              0x01385973
              0x01385975
              0x0138597c
              0x01385982
              0x01385988
              0x0138598f
              0x013859bb
              0x013859bd
              0x013859be
              0x013859bf
              0x013859c1
              0x013859da
              0x013859dd
              0x013859e4
              0x013859e7
              0x013859ea
              0x013859f6
              0x01385a02
              0x01385a04
              0x01385a0a
              0x01385a0c
              0x01385a0c
              0x01385a0e
              0x00000000
              0x013859c3
              0x013859c6
              0x013859c9
              0x013859c9
              0x013859c9
              0x013859cb
              0x013859d8
              0x013859d8
              0x013859d8
              0x013859cd
              0x013859cd
              0x013859ce
              0x013859d1
              0x013859d4
              0x00000000
              0x013859d6
              0x00000000
              0x013859d6
              0x013859d4
              0x00000000
              0x013859c9
              0x01385991
              0x01385993
              0x01385996
              0x013859a0
              0x013859a8
              0x013859ae
              0x013859b1
              0x01385a16
              0x01385a16
              0x01385a1c
              0x01385a58
              0x01385a58
              0x01385a5e
              0x01385e5a
              0x01385e5a
              0x01385e60
              0x01385e98
              0x01385e98
              0x01385e9e
              0x0138603b
              0x0138603b
              0x0138603b
              0x01386044
              0x01386047
              0x01386049
              0x0138604d
              0x0138605c
              0x0138605e
              0x01386061
              0x01386068
              0x0138606e
              0x01386074
              0x0138607b
              0x013860a7
              0x013860a9
              0x013860aa
              0x013860ab
              0x013860ad
              0x013860c9
              0x013860cc
              0x013860d3
              0x013860d6
              0x013860d9
              0x013860e5
              0x013860f1
              0x013860f3
              0x013860f9
              0x013860fb
              0x013860fb
              0x013860fd
              0x01386105
              0x01386105
              0x01386108
              0x0138610b
              0x0138611c
              0x0138611f
              0x0138611f
              0x0138610d
              0x0138610d
              0x0138610d
              0x01386121
              0x01386124
              0x01386126
              0x0138612a
              0x01386131
              0x01386139
              0x0138613b
              0x01386142
              0x01386145
              0x01386145
              0x01386148
              0x01386148
              0x0138614b
              0x01386152
              0x01386156
              0x01386159
              0x0138616b
              0x0138616b
              0x01386176
              0x01386178
              0x0138617d
              0x0138617f
              0x01386224
              0x01386224
              0x01386226
              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x00000000
              0x0138589e
              0x0138589e
              0x0138622c
              0x0138622c
              0x01386232
              0x01386232
              0x01386238
              0x0138623d
              0x01386241
              0x01386244
              0x01386249
              0x01386252
              0x01386254
              0x01386254
              0x01386254
              0x00000000
              0x01386232
              0x01386185
              0x01386185
              0x01386187
              0x00000000
              0x00000000
              0x0138618d
              0x0138618d
              0x01386193
              0x01386195
              0x0138619b
              0x0138619e
              0x013861a0
              0x013861f1
              0x013861f1
              0x013861f4
              0x00000000
              0x00000000
              0x013861fa
              0x013861fc
              0x013861fc
              0x013861ff
              0x01386203
              0x01386205
              0x01386205
              0x01386209
              0x0138620e
              0x01386211
              0x01386214
              0x01386217
              0x0138621a
              0x0138621a
              0x0138621a
              0x00000000
              0x0138621f
              0x013861a2
              0x013861a4
              0x013861a5
              0x013861a7
              0x00000000
              0x00000000
              0x013861ad
              0x013861af
              0x013861af
              0x013861b2
              0x013861b2
              0x013861b4
              0x013861b6
              0x013861bc
              0x013861c2
              0x013861c8
              0x013861ce
              0x013861d4
              0x013861da
              0x013861dd
              0x013861e0
              0x013861e2
              0x013861e5
              0x013861e7
              0x013861e7
              0x013861e7
              0x00000000
              0x0138615b
              0x0138615b
              0x0138615b
              0x01386164
              0x01386165
              0x01385cb9
              0x01385cb9
              0x01385cc0
              0x01385cc5
              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x013858a1
              0x013858a1
              0x013858a1
              0x013858a7
              0x013858b2
              0x00000000
              0x013858b4
              0x013858b4
              0x013858b4
              0x00000000
              0x013858b2
              0x00000000
              0x013858a1
              0x01385eb2
              0x01385eb9
              0x01385ecd
              0x01385ecd
              0x01385ed8
              0x01385edb
              0x01385ee0
              0x01385ee2
              0x01385ee4
              0x01386001
              0x01386001
              0x01386003
              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x013858a1
              0x013858a7
              0x013858b2
              0x00000000
              0x013858b4
              0x013858b4
              0x013858b4
              0x013858b2
              0x0138589e
              0x01386009
              0x01386009
              0x0138600f
              0x0138600f
              0x01386015
              0x0138601a
              0x0138601e
              0x01386021
              0x01386026
              0x0138602f
              0x01386031
              0x01386031
              0x01386031
              0x01386259
              0x01386259
              0x00000000
              0x01386259
              0x01385eea
              0x01385eea
              0x01385eec
              0x00000000
              0x00000000
              0x01385ef2
              0x01385ef2
              0x01385ef8
              0x01385efa
              0x01385f00
              0x01385f03
              0x01385f05
              0x01385f4f
              0x01385f4f
              0x01385f52
              0x01385f7d
              0x01385f7d
              0x01385f80
              0x01385f82
              0x00000000
              0x00000000
              0x01385f88
              0x01385f8a
              0x01385f8d
              0x01385f90
              0x01385f93
              0x00000000
              0x00000000
              0x01385f99
              0x01385f9c
              0x01385f9f
              0x01385fa2
              0x01385fa5
              0x00000000
              0x00000000
              0x01385fab
              0x01385fae
              0x01385fb1
              0x01385fb4
              0x01385fb7
              0x00000000
              0x00000000
              0x01385fbd
              0x01385fc0
              0x01385fc3
              0x01385fc6
              0x01385fc9
              0x00000000
              0x00000000
              0x01385fcf
              0x01385fd2
              0x01385fd5
              0x01385fd8
              0x01385fdb
              0x00000000
              0x00000000
              0x01385fe1
              0x01385fe4
              0x01385fe7
              0x01385fea
              0x01385fed
              0x00000000
              0x00000000
              0x01385ff3
              0x01385ff6
              0x0138589e
              0x0138589e
              0x0138589e
              0x0138589e
              0x00000000
              0x0138589e
              0x0138589e
              0x01385f54
              0x01385f56
              0x01385f56
              0x01385f59
              0x01385f5d
              0x01385f5f
              0x01385f5f
              0x01385f63
              0x01385f68
              0x01385f6b
              0x01385f6e
              0x01385f71
              0x01385f74
              0x01385f74
              0x01385f74
              0x01385f79
              0x01385f79
              0x00000000
              0x01385f79
              0x01385f07
              0x01385f09
              0x01385f0a
              0x01385f0c
              0x00000000
              0x00000000
              0x01385f0e
              0x01385f10
              0x01385f10
              0x01385f13
              0x01385f13
              0x01385f15
              0x01385f17
              0x01385f1d
              0x01385f23
              0x01385f29
              0x01385f2f
              0x01385f35
              0x01385f3b
              0x01385f3e
              0x01385f41
              0x01385f43
              0x01385f46
              0x01385f48
              0x01385f48
              0x01385f48
              0x00000000
              0x01385f4d
              0x01385ebb
              0x01385ebb
              0x01385ec4
              0x01385ec5
              0x00000000
              0x01385ec5
              0x01385e73
              0x01385e7a
              0x01385e7f
              0x01385e7f
              0x00000000
              0x0138589e
              0x01386159
              0x013860af
              0x013860b5
              0x013860b8
              0x013860b8
              0x013860b8
              0x013860ba
              0x00000000
              0x00000000
              0x013860bc
              0x013860bc
              0x013860bd
              0x013860c0
              0x013860c3
              0x00000000
              0x00000000
              0x013860c5
              0x00000000
              0x013860c5
              0x013860c7
              0x013860c7
              0x00000000
              0x013860c7
              0x0138607d
              0x0138607f
              0x01386082
              0x0138608c
              0x01386094
              0x0138609a
              0x0138609d
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0138604f
              0x0138604f
              0x01386052
              0x01386054
              0x01386057
              0x01386057
              0x01386057
              0x00000000
              0x0138604f
              0x01385ea4
              0x01385ea4
              0x01385ea7
              0x01385eaa
              0x01385eaa
              0x01385e62
              0x01385e68
              0x01385e6a
              0x01385e6f
              0x01385e71
              0x00000000
              0x00000000
              0x00000000
              0x01385e71
              0x01385a64
              0x01385a64
              0x01385a6a
              0x01385a6d
              0x01385a7e
              0x01385a81
              0x01385a81
              0x01385a6f
              0x01385a6f
              0x01385a6f
              0x01385a83
              0x01385a86
              0x01385a88
              0x01385a8c
              0x01385a93
              0x01385a9b
              0x01385a9d
              0x01385aa4
              0x01385aa7
              0x01385aa7
              0x01385aaa
              0x01385aaa
              0x01385aaf
              0x01385ab6
              0x01385abc
              0x01385ac2
              0x01385ac9
              0x01385af5
              0x01385af7
              0x01385af8
              0x01385af9
              0x01385afb
              0x01385b17
              0x01385b1a
              0x01385b21
              0x01385b24
              0x01385b27
              0x01385b33
              0x01385b3f
              0x01385b41
              0x01385b47
              0x01385b49
              0x01385b49
              0x01385b4b
              0x00000000
              0x01385b4b
              0x01385afd
              0x01385b03
              0x01385b06
              0x01385b06
              0x01385b06
              0x01385b08
              0x00000000
              0x00000000
              0x01385b0a
              0x01385b0a
              0x01385b0b
              0x01385b0e
              0x01385b11
              0x00000000
              0x00000000
              0x01385b13
              0x00000000
              0x01385b13
              0x01385b15
              0x01385b15
              0x00000000
              0x01385acb
              0x01385acb
              0x01385acd
              0x01385ad0
              0x01385ada
              0x01385ae2
              0x01385ae8
              0x01385aeb
              0x01385b53
              0x01385b53
              0x01385b56
              0x01385b59
              0x01385b69
              0x01385b6c
              0x01385b6c
              0x01385b5b
              0x01385b5b
              0x01385b5b
              0x01385b6e
              0x01385b6f
              0x01385b73
              0x01385b75
              0x01385b79
              0x01385b7b
              0x01385c6f
              0x01385c6f
              0x00000000
              0x01385b81
              0x01385b81
              0x01385b81
              0x01385b84
              0x01385cca
              0x01385ccd
              0x01385cd6
              0x01385cde
              0x01385ce2
              0x01385ce6
              0x01385ced
              0x01385cf0
              0x01385cf6
              0x01385c72
              0x01385c72
              0x01385c78
              0x01385c7a
              0x01385c7b
              0x01385c81
              0x01385c83
              0x01385c84
              0x01385c8a
              0x01385c8c
              0x01385c8c
              0x01385c8c
              0x01385c8a
              0x01385c81
              0x01385c90
              0x01385c96
              0x01385c9c
              0x01385c9f
              0x01385ca2
              0x01385ca9
              0x01385cac
              0x01385cfe
              0x01385d04
              0x01385d07
              0x01385d09
              0x01385d10
              0x01385d12
              0x01385d14
              0x01385e20
              0x01385e20
              0x01385e22
              0x00000000
              0x00000000
              0x01385e28
              0x01385e28
              0x01385e2e
              0x01385e2e
              0x01385e34
              0x01385e39
              0x01385e3d
              0x01385e40
              0x01385e45
              0x01385e4e
              0x01385e50
              0x01385e50
              0x01385e50
              0x00000000
              0x01385e55
              0x01385d1a
              0x01385d1a
              0x01385d1c
              0x00000000
              0x00000000
              0x01385d22
              0x01385d22
              0x01385d28
              0x01385d2b
              0x01385d31
              0x01385d33
              0x01385d37
              0x01385d82
              0x01385d82
              0x01385d85
              0x01385db4
              0x01385db4
              0x01385db6
              0x01385dbe
              0x01385dc1
              0x01385dc4
              0x01385dcd
              0x01385dd0
              0x01385dd3
              0x01385ddc
              0x01385ddf
              0x01385de2
              0x01385deb
              0x01385dee
              0x01385df1
              0x01385dfa
              0x01385dfd
              0x01385e00
              0x01385e09
              0x01385e0c
              0x01385e0f
              0x01385e18
              0x01385e18
              0x01385e0f
              0x01385e00
              0x01385df1
              0x01385de2
              0x01385dd3
              0x01385dc4
              0x00000000
              0x01385db6
              0x01385d87
              0x01385d89
              0x01385d89
              0x01385d8c
              0x01385d90
              0x01385d92
              0x01385d92
              0x01385d96
              0x01385d9b
              0x01385d9e
              0x01385da1
              0x01385da4
              0x01385da7
              0x01385da7
              0x01385da7
              0x01385dac
              0x01385db0
              0x00000000
              0x01385db0
              0x01385d39
              0x01385d39
              0x01385d3c
              0x00000000
              0x00000000
              0x01385d3e
              0x01385d40
              0x01385d40
              0x01385d43
              0x01385d43
              0x01385d45
              0x01385d48
              0x01385d4e
              0x01385d54
              0x01385d5a
              0x01385d60
              0x01385d66
              0x01385d6c
              0x01385d6f
              0x01385d72
              0x01385d75
              0x01385d78
              0x01385d7b
              0x01385d7b
              0x01385d7b
              0x00000000
              0x01385cae
              0x01385cae
              0x01385cae
              0x01385cb7
              0x01385cb8
              0x00000000
              0x01385cb8
              0x01385cac
              0x01385b8a
              0x01385b8a
              0x01385bbd
              0x01385b8c
              0x01385b8f
              0x01385b98
              0x01385ba0
              0x01385ba3
              0x01385bab
              0x01385bb2
              0x01385bb8
              0x01385bb8
              0x01385bc2
              0x01385bc9
              0x01385bcf
              0x01385bd5
              0x01385bdc
              0x01385c08
              0x01385c0a
              0x01385c0b
              0x01385c0c
              0x01385c0e
              0x01385c2a
              0x01385c2d
              0x01385c34
              0x01385c37
              0x01385c3a
              0x01385c46
              0x01385c52
              0x01385c54
              0x01385c5a
              0x01385c5c
              0x01385c5c
              0x01385c5e
              0x00000000
              0x01385c5e
              0x01385c10
              0x01385c16
              0x01385c19
              0x01385c19
              0x01385c19
              0x01385c1b
              0x00000000
              0x00000000
              0x01385c1d
              0x01385c1d
              0x01385c1e
              0x01385c21
              0x01385c24
              0x00000000
              0x00000000
              0x01385c26
              0x00000000
              0x01385c26
              0x01385c28
              0x01385c28
              0x00000000
              0x01385bde
              0x01385bde
              0x01385be0
              0x01385be3
              0x01385bed
              0x01385bf5
              0x01385bfb
              0x01385bfe
              0x01385c66
              0x01385c69
              0x01385c69
              0x01385c6b
              0x00000000
              0x01385c6b
              0x01385bdc
              0x01385b7b
              0x01385ac9
              0x01385a1e
              0x01385a1e
              0x01385a25
              0x01385a43
              0x01385a49
              0x01385a4e
              0x01385a51
              0x00000000
              0x01385a51
              0x01385a27
              0x01385a34
              0x01385a3c
              0x00000000
              0x01385a3c
              0x0138598f
              0x01385935
              0x01385935
              0x01385937
              0x00000000
              0x00000000
              0x01385939
              0x0138593b
              0x01385940
              0x01385946
              0x0138594c
              0x00000000
              0x00000000
              0x01385952
              0x01385952
              0x01385966
              0x01385966
              0x0138596d
              0x01386261
              0x01386261
              0x00000000
              0x01386261
              0x00000000
              0x0138596d
              0x01385954
              0x01385954
              0x0138595a
              0x01385960
              0x00000000
              0x00000000
              0x00000000
              0x01385960
              0x013858a1

              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
              • Instruction ID: 2964ff9114f4aec2a7640835df1a58cc6496bf01900c94088c8d4d570ea3830d
              • Opcode Fuzzy Hash: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
              • Instruction Fuzzy Hash: 7A6219716047899FCB26DF38C8906B9BBE1AF85308F08C56ED9AB8B746D734E545CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01386CDB, Relevance: .8, Instructions: 773COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 98%
              			E01386CDB(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E0137A4ED(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E0137A4ED(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E0137A4ED(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E0138EA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E0138EA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E01383564(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E01381A0E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E0137A4ED(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E0137A4ED(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E0138EA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E01387D76(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E01387D76(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E0137A4ED(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E013847DA(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E0138397F(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}


















































































































































              0x01386ce0
              0x01386ce4
              0x01386cea
              0x01386d13
              0x01386d16
              0x01386d1b
              0x01386d1e
              0x01386d05
              0x01386d05
              0x00000000
              0x01386d20
              0x01386d2b
              0x01386d2e
              0x01386d31
              0x01386d35
              0x01386d39
              0x01386d3d
              0x01386d3f
              0x01386d41
              0x01386d41
              0x01386d45
              0x01386d52
              0x01386d52
              0x01386d58
              0x01386d5b
              0x01386d5d
              0x01386d61
              0x00000000
              0x00000000
              0x01386d63
              0x01386d63
              0x01386d65
              0x013872f0
              0x013872f0
              0x013872f2
              0x00000000
              0x013872f3
              0x01386d6b
              0x01386d79
              0x01386d79
              0x01386d7b
              0x01386d8a
              0x01386d8a
              0x01386d90
              0x0138763f
              0x0138763f
              0x00000000
              0x0138763f
              0x00000000
              0x01386d90
              0x01386d7d
              0x01386d84
              0x00000000
              0x00000000
              0x00000000
              0x01386d84
              0x01386d70
              0x01386d73
              0x00000000
              0x00000000
              0x00000000
              0x01386d96
              0x01386d96
              0x01386da3
              0x01386da8
              0x01386ddc
              0x01386ddc
              0x01386de1
              0x01386de8
              0x01386dee
              0x01386df4
              0x01386df8
              0x01386e32
              0x01386e33
              0x01386e34
              0x01386e36
              0x01386e4f
              0x01386e52
              0x01386e59
              0x01386e5c
              0x01386e5f
              0x01386e68
              0x01386e71
              0x01386e73
              0x01386e76
              0x01386e78
              0x01386e78
              0x01386e7a
              0x01386e82
              0x01386e85
              0x01386e8a
              0x01386e8c
              0x01386ea5
              0x01386eab
              0x013872c7
              0x013872c9
              0x013872fc
              0x01387302
              0x0138741e
              0x0138741e
              0x01387427
              0x0138742a
              0x0138742c
              0x01387430
              0x0138743f
              0x0138743f
              0x01387442
              0x01387447
              0x0138744e
              0x01387454
              0x0138745a
              0x01387461
              0x0138748f
              0x01387490
              0x01387491
              0x01387493
              0x013874af
              0x013874b2
              0x013874b9
              0x013874bc
              0x013874bf
              0x013874cb
              0x013874d7
              0x013874d9
              0x013874df
              0x013874e1
              0x013874e1
              0x013874e3
              0x013874eb
              0x013874eb
              0x013874ee
              0x013874f1
              0x01387502
              0x01387505
              0x01387505
              0x013874f3
              0x013874f3
              0x013874f3
              0x01387507
              0x0138750a
              0x0138750c
              0x01387511
              0x01387518
              0x01387520
              0x01387522
              0x01387529
              0x0138752c
              0x0138752c
              0x0138752f
              0x0138752f
              0x01387532
              0x0138753d
              0x01387541
              0x01387546
              0x01387549
              0x0138754b
              0x013875ff
              0x013875ff
              0x01387602
              0x01387604
              0x00000000
              0x00000000
              0x0138760a
              0x01387610
              0x01387616
              0x0138761b
              0x0138761f
              0x01387625
              0x0138762e
              0x01387631
              0x01387631
              0x01387631
              0x01387636
              0x01387636
              0x01386e9d
              0x01386e9d
              0x00000000
              0x01387551
              0x01387551
              0x01387553
              0x00000000
              0x00000000
              0x01387559
              0x0138755f
              0x01387561
              0x01387567
              0x0138756b
              0x0138756e
              0x01387572
              0x013875c4
              0x013875c7
              0x013871fb
              0x013871fb
              0x013871fe
              0x01387200
              0x01386d4a
              0x01386d4e
              0x01386d4e
              0x01386d52
              0x01386d52
              0x01386d58
              0x01386d5b
              0x01386d5d
              0x01386d61
              0x00000000
              0x00000000
              0x00000000
              0x01386d61
              0x01386d52
              0x01387209
              0x0138720b
              0x0138720e
              0x01387211
              0x00000000
              0x00000000
              0x0138721a
              0x0138721d
              0x01387220
              0x01387223
              0x00000000
              0x00000000
              0x0138722c
              0x0138722f
              0x01387232
              0x01387235
              0x00000000
              0x00000000
              0x0138723e
              0x01387241
              0x01387244
              0x01387247
              0x00000000
              0x00000000
              0x01387250
              0x01387253
              0x01387256
              0x01387259
              0x00000000
              0x00000000
              0x01387262
              0x01387265
              0x01387269
              0x0138726c
              0x0138726f
              0x01387278
              0x0138727b
              0x0138727b
              0x00000000
              0x0138726f
              0x013875cf
              0x013875cf
              0x013875d2
              0x013875d6
              0x013875d8
              0x013875dc
              0x013875e1
              0x013875e5
              0x013875e8
              0x013875eb
              0x013875ee
              0x013875f1
              0x013875f5
              0x013875f5
              0x013875f5
              0x013871f7
              0x013871f7
              0x00000000
              0x013871f7
              0x01387574
              0x01387577
              0x00000000
              0x00000000
              0x0138757f
              0x0138757f
              0x01387582
              0x01387585
              0x01387588
              0x0138758d
              0x01387593
              0x01387599
              0x0138759f
              0x013875a5
              0x013875ab
              0x013875ae
              0x013875b1
              0x013875b4
              0x013875b7
              0x013875ba
              0x013875ba
              0x013875ba
              0x00000000
              0x013875bf
              0x0138754b
              0x0138749b
              0x0138749e
              0x0138749e
              0x013874a0
              0x00000000
              0x00000000
              0x013874a2
              0x013874a3
              0x013874a6
              0x013874a9
              0x00000000
              0x00000000
              0x00000000
              0x013874ab
              0x013874ad
              0x00000000
              0x013874ad
              0x01387465
              0x01387468
              0x01387472
              0x0138747a
              0x01387480
              0x01387483
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01387432
              0x01387432
              0x01387435
              0x01387437
              0x0138743a
              0x0138743a
              0x0138743a
              0x00000000
              0x01387432
              0x01387308
              0x0138730b
              0x0138730f
              0x01387311
              0x01386e27
              0x01386e27
              0x00000000
              0x01386e27
              0x01387317
              0x0138731a
              0x0138731f
              0x01387321
              0x0138732b
              0x01387330
              0x01387332
              0x013873e2
              0x013873e2
              0x013873e5
              0x013873e7
              0x00000000
              0x00000000
              0x013873ed
              0x013873f3
              0x013873f9
              0x013873fe
              0x01387402
              0x01387408
              0x01387411
              0x01387414
              0x01387414
              0x01387414
              0x00000000
              0x01387419
              0x01387338
              0x0138733a
              0x00000000
              0x00000000
              0x01387340
              0x01387346
              0x01387348
              0x0138734e
              0x01387352
              0x01387355
              0x01387359
              0x013873ab
              0x013873ae
              0x00000000
              0x00000000
              0x013873b6
              0x013873b6
              0x013873b9
              0x013873bb
              0x013873bf
              0x013873c4
              0x013873c8
              0x013873cb
              0x013873ce
              0x013873d1
              0x013873d4
              0x013873d8
              0x013873d8
              0x013873d8
              0x00000000
              0x013873dd
              0x0138735b
              0x0138735e
              0x00000000
              0x00000000
              0x01387366
              0x01387366
              0x01387369
              0x0138736c
              0x0138736f
              0x01387374
              0x0138737a
              0x01387380
              0x01387386
              0x0138738c
              0x01387392
              0x01387395
              0x01387398
              0x0138739b
              0x0138739e
              0x013873a1
              0x013873a1
              0x013873a1
              0x00000000
              0x013873a6
              0x013872cf
              0x013872d3
              0x013872d8
              0x013872da
              0x00000000
              0x00000000
              0x013872e3
              0x013872e8
              0x013872ea
              0x00000000
              0x00000000
              0x00000000
              0x013872ea
              0x01386eb1
              0x01386eb7
              0x01386eba
              0x01386ecb
              0x01386ece
              0x01386ece
              0x01386ebc
              0x01386ebc
              0x01386ebc
              0x01386ed0
              0x01386ed3
              0x01386ed5
              0x01386eff
              0x01386ed7
              0x01386ed9
              0x01386ee0
              0x01386ee8
              0x01386eea
              0x01386eec
              0x01386ef4
              0x01386efa
              0x01386efa
              0x01386f04
              0x01386f0b
              0x01386f11
              0x01386f17
              0x01386f1e
              0x01386f4c
              0x01386f4d
              0x01386f4e
              0x01386f50
              0x01386f6c
              0x01386f6f
              0x01386f76
              0x01386f79
              0x01386f7c
              0x01386f88
              0x01386f94
              0x01386f96
              0x01386f9c
              0x01386f9e
              0x01386f9e
              0x01386fa0
              0x00000000
              0x01386fa0
              0x01386f58
              0x01386f5b
              0x01386f5b
              0x01386f5d
              0x00000000
              0x00000000
              0x01386f5f
              0x01386f60
              0x01386f63
              0x01386f66
              0x00000000
              0x00000000
              0x00000000
              0x01386f68
              0x01386f6a
              0x00000000
              0x01386f20
              0x01386f22
              0x01386f25
              0x01386f2f
              0x01386f37
              0x01386f3d
              0x01386f40
              0x01386fa8
              0x01386fa8
              0x01386fab
              0x01386fae
              0x01386fbe
              0x01386fc1
              0x01386fc1
              0x01386fb0
              0x01386fb0
              0x01386fb0
              0x01386fc3
              0x01386fc7
              0x01386fca
              0x01386fce
              0x01386fd0
              0x01386fd4
              0x01386fd6
              0x01387107
              0x01387107
              0x0138710d
              0x0138710f
              0x01387110
              0x01387116
              0x01387118
              0x01387119
              0x0138711f
              0x01387121
              0x01387121
              0x01387121
              0x0138711f
              0x01387116
              0x01387125
              0x0138712b
              0x01387131
              0x01387134
              0x01387137
              0x01387142
              0x01387144
              0x01387149
              0x0138714c
              0x01387150
              0x01387152
              0x01387283
              0x01387283
              0x01387287
              0x0138728a
              0x0138728c
              0x00000000
              0x00000000
              0x01387292
              0x01387298
              0x0138729c
              0x013872a2
              0x013872a7
              0x013872ab
              0x013872b1
              0x013872ba
              0x013872bd
              0x013872bd
              0x013872bd
              0x00000000
              0x01387158
              0x01387158
              0x0138715a
              0x00000000
              0x00000000
              0x01387160
              0x01387166
              0x01387169
              0x0138716f
              0x01387173
              0x01387176
              0x0138717a
              0x013871c5
              0x013871c8
              0x00000000
              0x00000000
              0x013871cc
              0x013871cc
              0x013871cf
              0x013871d3
              0x013871d5
              0x013871d9
              0x013871de
              0x013871e2
              0x013871e5
              0x013871e8
              0x013871eb
              0x013871ee
              0x013871f2
              0x013871f2
              0x013871f2
              0x00000000
              0x013871d5
              0x0138717c
              0x0138717f
              0x00000000
              0x00000000
              0x01387183
              0x01387183
              0x01387186
              0x01387189
              0x0138718c
              0x01387191
              0x01387197
              0x0138719d
              0x013871a3
              0x013871a9
              0x013871af
              0x013871b2
              0x013871b5
              0x013871b8
              0x013871bb
              0x013871be
              0x013871be
              0x013871be
              0x00000000
              0x013871c3
              0x01386fdc
              0x01386fdc
              0x01386fdf
              0x013870da
              0x013870e3
              0x013870ed
              0x013870f1
              0x013870fa
              0x013870fd
              0x013870fd
              0x01387100
              0x01387103
              0x01387103
              0x00000000
              0x01387103
              0x01386fe5
              0x0138701b
              0x01386fe7
              0x01386fea
              0x01386fef
              0x01386ff7
              0x01386fff
              0x01387002
              0x0138700a
              0x01387011
              0x01387016
              0x01387016
              0x01387020
              0x01387027
              0x0138702d
              0x01387033
              0x0138703a
              0x01387068
              0x01387069
              0x0138706a
              0x0138706e
              0x01387070
              0x0138708e
              0x01387091
              0x0138709d
              0x013870a0
              0x013870a4
              0x013870a9
              0x013870bc
              0x013870be
              0x013870c4
              0x013870c6
              0x013870c6
              0x013870c8
              0x00000000
              0x013870c8
              0x01387078
              0x0138707b
              0x0138707b
              0x0138707d
              0x00000000
              0x00000000
              0x0138707f
              0x01387080
              0x01387083
              0x01387086
              0x00000000
              0x00000000
              0x00000000
              0x01387088
              0x0138708a
              0x00000000
              0x0138703c
              0x0138703e
              0x01387041
              0x0138704b
              0x01387053
              0x01387059
              0x0138705c
              0x013870d0
              0x013870d3
              0x00000000
              0x013870d3
              0x0138703a
              0x01386fd6
              0x01386f1e
              0x01386e97
              0x01386e9a
              0x01386e9a
              0x01386e9a
              0x00000000
              0x01386e9a
              0x01386e3b
              0x01386e3e
              0x01386e3e
              0x01386e40
              0x00000000
              0x00000000
              0x01386e42
              0x01386e43
              0x01386e46
              0x01386e49
              0x00000000
              0x00000000
              0x00000000
              0x01386e4b
              0x01386e4d
              0x00000000
              0x01386e4d
              0x01386dfc
              0x01386dff
              0x01386e09
              0x01386e11
              0x01386e17
              0x01386e1a
              0x01386e1d
              0x00000000
              0x01386e1d
              0x01386daa
              0x01386dad
              0x00000000
              0x00000000
              0x01386db1
              0x01386dbc
              0x01386dc2
              0x0138764b
              0x0138764b
              0x00000000
              0x0138764b
              0x01386dc8
              0x00000000
              0x00000000
              0x01386dd0
              0x01386dd6
              0x00000000
              0x00000000
              0x00000000
              0x01386dd6
              0x01386d52
              0x01386d1e
              0x01386cef
              0x01386cf3
              0x01386cf7
              0x01386cfb
              0x01386d03
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
              • Instruction ID: b942c4980a3e8e5a42eb7f71f85e0f7179e5fb48665128e0d0e86b8e6ea540e9
              • Opcode Fuzzy Hash: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
              • Instruction Fuzzy Hash: 626216B160478A9FC719DF28C8905B9FBE2FF4520CF18866DD99687B42D331E55ACB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137E973, Relevance: .7, Instructions: 694COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 70%
              			E0137E973(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E0138EA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E01395604( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E01395604(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E01395604( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E01395604( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E01395604( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E01395604(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}










































































































              0x0137e973
              0x0137e97f
              0x0137e98b
              0x0137e995
              0x0137e99a
              0x0137e99f
              0x0137e981
              0x0137e981
              0x0137e985
              0x0137e985
              0x0137e9a2
              0x0137e9ab
              0x0137e9ad
              0x0137e9b0
              0x0137e9ba
              0x0137e9c0
              0x0137e9c4
              0x0137e9dc
              0x0137e9e7
              0x0137e9e9
              0x0137e9eb
              0x0137e9f0
              0x0137e9f3
              0x0137e9f7
              0x0137e9fb
              0x0137e9fe
              0x0137ea09
              0x0137ea0e
              0x0137ea28
              0x0137ea2d
              0x0137ea38
              0x0137ea45
              0x0137ea4a
              0x0137ea5e
              0x0137ea65
              0x0137ea6f
              0x0137ea7c
              0x0137ea85
              0x0137ea95
              0x0137eaa1
              0x0137eaa3
              0x0137eaae
              0x0137eab3
              0x0137eab6
              0x0137eaca
              0x0137ead1
              0x0137ead8
              0x0137eae1
              0x0137eae5
              0x0137eae9
              0x0137eaf4
              0x0137eaf7
              0x0137eafa
              0x0137eb06
              0x0137eb18
              0x0137eb1b
              0x0137eb1d
              0x0137eb33
              0x0137eb3b
              0x0137eb3f
              0x0137eb4a
              0x0137eb5c
              0x0137eb63
              0x0137eb66
              0x0137eb6c
              0x0137eb6e
              0x0137eb73
              0x0137eb78
              0x0137eb8e
              0x0137eb97
              0x0137eb99
              0x0137eb9c
              0x0137eba2
              0x0137eba8
              0x0137ebb7
              0x0137ebc7
              0x0137ebc9
              0x0137ebcf
              0x0137ebd1
              0x0137ebd7
              0x0137ebdc
              0x0137ebe0
              0x0137ebe6
              0x0137ebea
              0x0137ebf4
              0x0137ebfb
              0x0137ec00
              0x0137ec01
              0x0137ec05
              0x0137ec09
              0x0137ec0d
              0x0137ec0d
              0x0137ec0d
              0x0137ec12
              0x0137ec16
              0x0137ec1e
              0x0137ec24
              0x0137ec27
              0x0137ec2a
              0x0137ec39
              0x0137ec48
              0x0137ec4a
              0x0137ec4d
              0x0137ec53
              0x0137ec5d
              0x0137ec62
              0x0137ec68
              0x0137ec6c
              0x0137ec70
              0x0137ec74
              0x0137ec78
              0x0137ec7d
              0x0137ec90
              0x0137ec9f
              0x0137eca1
              0x0137eca4
              0x0137ecaa
              0x0137ecaf
              0x0137ecc2
              0x0137ecc8
              0x0137eccc
              0x0137ecdc
              0x0137ece5
              0x0137ecef
              0x0137ecf2
              0x0137ecf4
              0x0137ecfb
              0x0137ed01
              0x0137ed10
              0x0137ed1d
              0x0137ed23
              0x0137ed2b
              0x0137ed4c
              0x0137ed4f
              0x0137ed56
              0x0137ed5a
              0x0137ed5d
              0x0137ed67
              0x0137ed77
              0x0137ed7c
              0x0137ed84
              0x0137ed9b
              0x0137eda2
              0x0137eda6
              0x0137eda8
              0x0137edab
              0x0137edb1
              0x0137edba
              0x0137edca
              0x0137edcf
              0x0137edd6
              0x0137edda
              0x0137edde
              0x0137ede9
              0x0137edea
              0x0137edf4
              0x0137edf4
              0x0137edf4
              0x0137edf7
              0x0137edfa
              0x0137ee01
              0x0137ee06
              0x0137ee0b
              0x0137ee12
              0x0137ee20
              0x0137ee2f
              0x0137ee31
              0x0137ee37
              0x0137ee46
              0x0137ee49
              0x0137ee4c
              0x0137ee4d
              0x0137ee59
              0x0137ee5d
              0x0137ee67
              0x0137ee69
              0x0137ee70
              0x0137ee80
              0x0137ee89
              0x0137ee8b
              0x0137ee8e
              0x0137ee9a
              0x0137eea2
              0x0137eea9
              0x0137eeac
              0x0137eeb0
              0x0137eeb6
              0x0137eebc
              0x0137eec0
              0x0137eed0
              0x0137eedf
              0x0137eee2
              0x0137eee4
              0x0137eee7
              0x0137ef0b
              0x0137ef14
              0x0137ef17
              0x0137ef19
              0x0137ef1d
              0x0137ef27
              0x0137ef2e
              0x0137ef44
              0x0137ef4e
              0x0137ef50
              0x0137ef54
              0x0137ef62
              0x0137ef71
              0x0137ef79
              0x0137ef7e
              0x0137ef85
              0x0137ef9e
              0x0137efa4
              0x0137efa6
              0x0137efaa
              0x0137efb0
              0x0137efb8
              0x0137efbd
              0x0137efcd
              0x0137efd3
              0x0137efd7
              0x0137efe1
              0x00000000
              0x00000000
              0x0137edf0
              0x0137edf0
              0x0137efe9
              0x0137efea
              0x0137efee
              0x0137efee
              0x0137efee
              0x0137eff3
              0x0137eff7
              0x0137effc
              0x0137f001
              0x0137f006
              0x0137f008
              0x0137f00a
              0x0137f00e
              0x0137f01d
              0x0137f02c
              0x0137f02e
              0x0137f031
              0x0137f039
              0x0137f03e
              0x0137f047
              0x0137f04d
              0x0137f051
              0x0137f055
              0x0137f05c
              0x0137f05e
              0x0137f071
              0x0137f080
              0x0137f082
              0x0137f085
              0x0137f08d
              0x0137f0a0
              0x0137f0a4
              0x0137f0a8
              0x0137f0ab
              0x0137f0bb
              0x0137f0c4
              0x0137f0ce
              0x0137f0d1
              0x0137f0d3
              0x0137f0da
              0x0137f0de
              0x0137f0f3
              0x0137f0fc
              0x0137f100
              0x0137f104
              0x0137f129
              0x0137f132
              0x0137f135
              0x0137f137
              0x0137f13a
              0x0137f148
              0x0137f155
              0x0137f172
              0x0137f175
              0x0137f179
              0x0137f17b
              0x0137f17e
              0x0137f184
              0x0137f18c
              0x0137f195
              0x0137f199
              0x0137f1a2
              0x0137f1a6
              0x0137f1a8
              0x0137f1af
              0x0137f1b3
              0x0137f1bc
              0x0137f1c0
              0x0137f1c3
              0x0137f1c6
              0x0137f1c9
              0x0137f1cb
              0x0137f1d5

              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
              • Instruction ID: 29f6ae4e5fe41392beab91d32d540f01b7735656392520364e54a4db202eaf3c
              • Opcode Fuzzy Hash: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
              • Instruction Fuzzy Hash: 015258B26087019FC758CF19C891A6AF7E1FFC8304F49992DF9968B255D334E919CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013866A2, Relevance: .5, Instructions: 509COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 88%
              			E013866A2(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x34);
				 *(_t455 + 0x14) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x14) = _t201;
						 *(_t455 + 0x10) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x3c) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E01392B5E(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E01376D3A(0x13b00e0);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x24) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E0137A4ED(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x1c));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E0137A4ED(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E0137A4ED(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x24))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x14);
														_t201 =  *(_t455 + 0x18);
														_t293 =  *(_t455 + 0x3c);
														_t443 =  *((intOrPtr*)(_t455 + 0x1c));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x14);
											_t201 =  *(_t455 + 0x18);
											_t293 =  *(_t455 + 0x3c);
											continue;
										}
										_push(_t455 + 0x28);
										E01383564(_t443, _t438);
										_t295[1] =  *(_t455 + 0x28) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x2c);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x34) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x30);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x10) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E0137A4ED(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x10) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E0137A4ED(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x20) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x10) + 1;
												 *(_t455 + 0x10) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x10) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x10) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x24);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x10);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E01387D76(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x20);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E01387D76(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x20);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E0137A4ED(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E0138397F(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}






















































































































              0x013866a7
              0x013866ad
              0x013866b5
              0x013866dc
              0x013866df
              0x013866e5
              0x013866e8
              0x013866ea
              0x01386702
              0x01386709
              0x0138670b
              0x0138670e
              0x01386712
              0x01386717
              0x01386719
              0x0138671b
              0x0138671d
              0x0138671d
              0x0138671f
              0x01386723
              0x01386723
              0x01386725
              0x01386727
              0x00000000
              0x00000000
              0x01386729
              0x01386729
              0x0138672b
              0x01386ca2
              0x01386ca3
              0x00000000
              0x01386ca3
              0x01386731
              0x0138673f
              0x0138673f
              0x01386741
              0x01386750
              0x01386750
              0x01386756
              0x01386c9b
              0x01386c9b
              0x00000000
              0x01386c9b
              0x00000000
              0x01386756
              0x01386743
              0x0138674a
              0x00000000
              0x00000000
              0x00000000
              0x0138674a
              0x01386733
              0x01386736
              0x01386739
              0x00000000
              0x00000000
              0x00000000
              0x0138675c
              0x0138675c
              0x01386765
              0x0138676b
              0x0138676d
              0x01386770
              0x01386779
              0x0138677a
              0x01386785
              0x01386789
              0x0138678b
              0x01386792
              0x01386792
              0x01386797
              0x01386797
              0x0138679d
              0x013867a8
              0x013867af
              0x013867b3
              0x013867b9
              0x013867c0
              0x013867c6
              0x013867cc
              0x013867d0
              0x013867fd
              0x013867fe
              0x013867ff
              0x01386801
              0x0138681a
              0x0138681d
              0x01386824
              0x01386827
              0x0138682a
              0x01386832
              0x0138683b
              0x0138683f
              0x01386841
              0x01386844
              0x01386846
              0x01386846
              0x01386848
              0x00000000
              0x01386848
              0x01386806
              0x01386809
              0x01386809
              0x0138680b
              0x00000000
              0x00000000
              0x0138680d
              0x0138680e
              0x01386811
              0x01386814
              0x00000000
              0x00000000
              0x00000000
              0x01386816
              0x01386818
              0x00000000
              0x013867d2
              0x013867d4
              0x013867d7
              0x013867e1
              0x013867e9
              0x013867ee
              0x013867f1
              0x01386850
              0x01386855
              0x01386857
              0x013868a5
              0x013868ab
              0x01386b1e
              0x01386b20
              0x01386b71
              0x01386b77
              0x01386b86
              0x01386b87
              0x01386b91
              0x01386b94
              0x01386b9b
              0x01386ba1
              0x01386ba7
              0x01386bae
              0x01386bdb
              0x01386bdc
              0x01386bdd
              0x01386bdf
              0x01386bfb
              0x01386bfe
              0x01386c05
              0x01386c08
              0x01386c0b
              0x01386c16
              0x01386c22
              0x01386c24
              0x01386c2a
              0x01386c2c
              0x01386c2c
              0x01386c2e
              0x01386c36
              0x01386c36
              0x01386c39
              0x01386c3c
              0x01386c4a
              0x01386c4d
              0x01386c55
              0x01386c58
              0x01386c5a
              0x01386c5e
              0x01386c65
              0x01386c6d
              0x01386c6f
              0x01386c76
              0x01386c78
              0x01386c78
              0x01386c7b
              0x01386c7b
              0x01386c3e
              0x01386c3e
              0x01386c3e
              0x01386c82
              0x01386c86
              0x01386c86
              0x01386c8a
              0x01386c8e
              0x01386c92
              0x01386723
              0x01386723
              0x01386725
              0x01386727
              0x00000000
              0x00000000
              0x00000000
              0x01386727
              0x01386723
              0x01386be7
              0x01386bea
              0x01386bea
              0x01386bec
              0x00000000
              0x00000000
              0x01386bee
              0x01386bef
              0x01386bf2
              0x01386bf5
              0x00000000
              0x00000000
              0x00000000
              0x01386bf7
              0x01386bf9
              0x00000000
              0x01386bf9
              0x01386bb2
              0x01386bb5
              0x01386bbf
              0x01386bc7
              0x01386bcc
              0x01386bcf
              0x00000000
              0x01386bcf
              0x01386b79
              0x01386886
              0x01386886
              0x0138688a
              0x0138688e
              0x00000000
              0x0138688e
              0x01386b28
              0x01386b2a
              0x01386b34
              0x01386b3c
              0x01386b41
              0x01386b42
              0x01386b44
              0x01386b4d
              0x01386b54
              0x01386b5f
              0x01386b67
              0x01386b69
              0x00000000
              0x01386b69
              0x013868b1
              0x013868b7
              0x013868ba
              0x013868c7
              0x013868ca
              0x013868d0
              0x013868d0
              0x013868bc
              0x013868bc
              0x013868bc
              0x013868d2
              0x013868d5
              0x013868d9
              0x013868db
              0x013868df
              0x013868e6
              0x013868f0
              0x013868f2
              0x013868fb
              0x013868fd
              0x013868fd
              0x01386900
              0x01386900
              0x01386905
              0x0138690c
              0x01386912
              0x01386918
              0x0138691f
              0x0138694c
              0x0138694d
              0x0138694e
              0x01386950
              0x0138696c
              0x0138696f
              0x01386976
              0x01386979
              0x0138697c
              0x01386987
              0x01386993
              0x01386995
              0x0138699b
              0x0138699d
              0x0138699d
              0x0138699f
              0x00000000
              0x0138699f
              0x01386958
              0x0138695b
              0x0138695b
              0x0138695d
              0x00000000
              0x00000000
              0x0138695f
              0x01386960
              0x01386963
              0x01386966
              0x00000000
              0x00000000
              0x00000000
              0x01386968
              0x0138696a
              0x00000000
              0x01386921
              0x01386923
              0x01386926
              0x01386930
              0x01386938
              0x0138693d
              0x01386940
              0x013869a7
              0x013869a7
              0x013869aa
              0x013869ad
              0x013869bd
              0x013869c0
              0x013869c0
              0x013869af
              0x013869af
              0x013869af
              0x013869c2
              0x013869c3
              0x013869c7
              0x013869c9
              0x013869cb
              0x01386ad9
              0x01386ad9
              0x01386adf
              0x01386ae5
              0x01386ae6
              0x01386aea
              0x01386af0
              0x01386af2
              0x01386af3
              0x01386af7
              0x01386afd
              0x01386aff
              0x01386aff
              0x01386b00
              0x01386b00
              0x01386afd
              0x01386af0
              0x01386b04
              0x01386b0c
              0x01386b12
              0x01386b16
              0x00000000
              0x013869d1
              0x013869d1
              0x013869d4
              0x01386ab5
              0x01386abe
              0x01386ac6
              0x01386aca
              0x01386ad1
              0x01386ad3
              0x01386ad3
              0x01386ad6
              0x00000000
              0x01386ad6
              0x013869da
              0x013869de
              0x013869e7
              0x013869f5
              0x013869f9
              0x01386a00
              0x01386a02
              0x01386a02
              0x01386a05
              0x01386a05
              0x01386a0a
              0x01386a11
              0x01386a17
              0x01386a1d
              0x01386a24
              0x01386a51
              0x01386a52
              0x01386a53
              0x01386a55
              0x01386a71
              0x01386a74
              0x01386a7b
              0x01386a7e
              0x01386a81
              0x01386a8c
              0x01386a98
              0x01386a9a
              0x01386aa0
              0x01386aa2
              0x01386aa2
              0x01386aa4
              0x00000000
              0x01386aa4
              0x01386a5d
              0x01386a60
              0x01386a60
              0x01386a62
              0x00000000
              0x00000000
              0x01386a64
              0x01386a65
              0x01386a68
              0x01386a6b
              0x00000000
              0x00000000
              0x00000000
              0x01386a6d
              0x01386a6f
              0x00000000
              0x01386a26
              0x01386a28
              0x01386a2b
              0x01386a35
              0x01386a3d
              0x01386a42
              0x01386a45
              0x01386aac
              0x01386aaf
              0x00000000
              0x01386aaf
              0x01386a24
              0x013869cb
              0x0138691f
              0x01386859
              0x01386860
              0x01386897
              0x01386897
              0x0138689c
              0x0138689f
              0x00000000
              0x0138689f
              0x01386862
              0x01386866
              0x00000000
              0x00000000
              0x01386868
              0x0138686e
              0x0138686f
              0x01386872
              0x00000000
              0x00000000
              0x01386874
              0x01386875
              0x0138687c
              0x01386880
              0x01386880
              0x01386880
              0x00000000
              0x01386880
              0x013867d0
              0x01386723
              0x013866ec
              0x00000000
              0x013866b7
              0x013866ba
              0x013866be
              0x013866c2
              0x013866c6
              0x013866c7
              0x013866ce
              0x00000000
              0x013866d0
              0x013866d0
              0x00000000
              0x013866d0
              0x013866ce

              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd81815d01b9a90e067cb614c3c49c82a18f4bbc9779ec9a8b4d56752c5faf72
              • Instruction ID: 3acf146a20c859f5a9a6c22ccb3b7d921319b9792655caceea2b86a4318416ba
              • Opcode Fuzzy Hash: cd81815d01b9a90e067cb614c3c49c82a18f4bbc9779ec9a8b4d56752c5faf72
              • Instruction Fuzzy Hash: 9B12D2F16147068BC729EF28C991AB9B7E1FB4430CF14892ED597C7A81D378A894CB45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137BAD1, Relevance: .4, Instructions: 449COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6271e63fc6e98a03595cd43c365f377693a63ade7ff729816da250bb1885c590
              • Instruction ID: 8985144810559dacb40ffc6b5d944666c6027e5e297eccd2575e08374a1546a1
              • Opcode Fuzzy Hash: 6271e63fc6e98a03595cd43c365f377693a63ade7ff729816da250bb1885c590
              • Instruction Fuzzy Hash: 9CF18771A083468FC725CE29C48452AFBF6FFC9258F144A2EF58587359D738E906CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01390113, Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 8479f0c0bf2d8023fe639f659d5c7798774629433ee83dfccd8bdb1d95762202
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 81C1A4722091934AEF2E563D857403FBEA96EA16B530A075DF8F3CB1D5FE20C264D620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01390548, Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 69147be7d73bd8adecdde0101f20c710f6dbca8fd7175b00ee241caeac2fdaac
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: A7C166722091930AEF6E563D857413EBEB96EA26B531A075DF8B2CB1D5FE20C224D520
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138FCDE, Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction ID: 5bbfd07a5800916f00bccc4987d0c79a9b356097eed538cd78bfbdc2f98130c0
              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction Fuzzy Hash: 2FC198722052930AEF2E573DC57403EFEA96E926B531A075DE8B3CB1D5FE10D268D620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138F8C6, Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 4fa1a1ef09dfe13aabbfb73eed2c92bbddc2f3120968607277939dec784dc64f
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: AEC177722052530AEF1E673D853413EFEB96EA16B931A075DE8B3CB1D5FE10D264D510
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137DF12, Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7960f745205935621f2560065f9c4ce214ba5bea87fb004fb2f2a68414dda360
              • Instruction ID: 60c3c64f1bc9f99eede8cfea8fdd7eb23dc5ffaf2b528e7c55416db3fa3a89c0
              • Opcode Fuzzy Hash: 7960f745205935621f2560065f9c4ce214ba5bea87fb004fb2f2a68414dda360
              • Instruction Fuzzy Hash: 18E147755183908FC319CF29E49086ABBF0BB8A301F89095EF6C587356D335EA09DF62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138364E, Relevance: .3, Instructions: 263COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
              • Instruction ID: ff829ef79376611dc1e6219f8e7a3752f5e8332d65f75b3dc5a768781c38b149
              • Opcode Fuzzy Hash: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
              • Instruction Fuzzy Hash: 7A9146B020434A8BDB24FF6CC894BBE7B95BB9070CF14092DEA9697781DA79E148C751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01393EE9, Relevance: .2, Instructions: 237COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a4c55e141c33be6445ce2f5d764d4a9cae87e73a5a2a51af3a149d8d9742200
              • Instruction ID: 71f68bc1058b565f885692cabf1575533c5ea788d9685e75c41244708d419616
              • Opcode Fuzzy Hash: 2a4c55e141c33be6445ce2f5d764d4a9cae87e73a5a2a51af3a149d8d9742200
              • Instruction Fuzzy Hash: E26169F160470A66EF38993C8A987BEA7B8FF5160CF00051AE6C3DB6C1E611D94F8355
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138397F, Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
              • Instruction ID: f58a2a77d294fe993cb0d1ac510fc269bda4dfebb90041b32a471eb773be4028
              • Opcode Fuzzy Hash: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
              • Instruction Fuzzy Hash: A37134B06043468BEB35EF6DC8D0BAD7794BBA0B0CF04492DDA869B782DA78C585C751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01393CBA, Relevance: .2, Instructions: 214COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
              • Instruction ID: 121e3361f6401ea6f20855b4128aec908e0ad0b0c6652ef4958cc5666ff5a723
              • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
              • Instruction Fuzzy Hash: 965189F2A04A4957EF39957C85B47FF6FDDFB1260CF080909DA86CB682C615E902C356
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137DADD, Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a60bcd147454fcd0793988daebb3a5c2fe53306cd917e09e775167ec5a6a67d
              • Instruction ID: be9c82b8005068f31889ebabb5bb1dc83272ee546d8249ba5b90293da741771b
              • Opcode Fuzzy Hash: 9a60bcd147454fcd0793988daebb3a5c2fe53306cd917e09e775167ec5a6a67d
              • Instruction Fuzzy Hash: B981A48221A2D49DC7268E7D34F52F53FA95B73341F1C40FAC6DA8729BE07A8658C721
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137E510, Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7cb6cc81bfa024ac2775ff22d25316d120ea596c11a8959cd46b0bacf187dce
              • Instruction ID: efbf0c2e467e84534864a34bedf035ddd6df086090150b49ca5dec1d60849400
              • Opcode Fuzzy Hash: b7cb6cc81bfa024ac2775ff22d25316d120ea596c11a8959cd46b0bacf187dce
              • Instruction Fuzzy Hash: 5B51F33190C3958EC722CF29819446EBFE1AFDA228F4948AEE4E55B213E134D649CF53
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137F5C5, Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 616d2612a521342aef9843188f5271567c8175410ae7016dd083018ebaab8295
              • Instruction ID: da193f3f8a0111f88493fbfb7ecc3bc8faa55449846c1d9e0e875298a5e03fff
              • Opcode Fuzzy Hash: 616d2612a521342aef9843188f5271567c8175410ae7016dd083018ebaab8295
              • Instruction Fuzzy Hash: EF5126B1A083028FC748CF19D49055AF7E1FF88324F054A2EE899A7741DB34EA59CBD6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013833D3, Relevance: .1, Instructions: 112COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
              • Instruction ID: 69e5c630153c9c00c008aee45b89623a70d37bc18bf2c031b74adfc10c91f4b7
              • Opcode Fuzzy Hash: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
              • Instruction Fuzzy Hash: 2C31F67560471A8FCB24EF2CC8502AEBBE0FB95608F04452DE9C5E7741C739E909CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01375D7E, Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4665fdc34f311b9a8b2cdfba6c46bb3379dc7065683febfa9f1c45a75a02c0c9
              • Instruction ID: 3e4b6b0dbba772c3e0e87f71265e6f177e9cae2344c3cfb4c6f2b0289c6646b9
              • Opcode Fuzzy Hash: 4665fdc34f311b9a8b2cdfba6c46bb3379dc7065683febfa9f1c45a75a02c0c9
              • Instruction Fuzzy Hash: AD219F31A201714BCB2CCD2ED8A457A7759D756301B8A813BEE46DF3C5C539E925C7E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137D70B, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E0137D70B(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E01373E41( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E013811FA( &_v2208,  &_v2288, 0x50);
				_t96 = E01392BB0( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0x13ad5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E0137CD7D(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E0137CE00(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x13adfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0x13adfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0x13ad154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0x13a33e0
							_t150 = E01395460( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0x13a33e0
								if(E0137CF57(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0x13ad5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}



















































              0x0137d723
              0x0137d72d
              0x0137d731
              0x0137d736
              0x0137d748
              0x0137d752
              0x0137d757
              0x0137d75e
              0x0137d761
              0x0137d765
              0x0137d76b
              0x0137d7c8
              0x0137d7e0
              0x0137d7e8
              0x0137d7ec
              0x0137d7f8
              0x0137d80a
              0x0137d811
              0x0137d815
              0x0137d818
              0x0137d820
              0x0137d826
              0x0137d82c
              0x0137d8cd
              0x0137d8cd
              0x0137d8d5
              0x0137d906
              0x0137d906
              0x0137d90c
              0x0137d917
              0x0137d919
              0x0137d91f
              0x0137d921
              0x0137d927
              0x0137d9d9
              0x0137d9d9
              0x0137d9d9
              0x0137d92d
              0x0137d9c7
              0x0137d934
              0x0137d93a
              0x00000000
              0x00000000
              0x0137d946
              0x0137d950
              0x0137d965
              0x0137d96a
              0x0137d96d
              0x0137d983
              0x0137d98b
              0x0137d98d
              0x0137d98e
              0x0137d996
              0x0137d9a8
              0x0137d9af
              0x0137d9b8
              0x0137d9be
              0x0137d9c0
              0x0137d9c4
              0x00000000
              0x00000000
              0x0137d9c6
              0x0137d9c6
              0x0137d9c6
              0x00000000
              0x0137d9c7
              0x0137d83a
              0x00000000
              0x00000000
              0x0137d847
              0x0137d848
              0x0137d851
              0x0137d856
              0x0137d85c
              0x0137d860
              0x0137d861
              0x0137d867
              0x0137d871
              0x0137d878
              0x0137d881
              0x0137d885
              0x0137d889
              0x0137d88b
              0x0137d88b
              0x0137d88f
              0x0137d891
              0x0137d891
              0x0137d8b7
              0x0137d8c3
              0x0137d8c9
              0x00000000
              0x0137d76d
              0x0137d76d
              0x0137d772
              0x0137d775
              0x0137d778
              0x0137d780
              0x0137d785
              0x0137d78a
              0x0137d79b
              0x0137d7a5
              0x0137d7b2
              0x0137d7b2
              0x0137d7a5
              0x0137d7b8
              0x0137d7b8
              0x0137d7bc
              0x0137d7bd
              0x0137d7c0
              0x0137d7c0
              0x00000000
              0x0137d772

              APIs
              • _swprintf.LIBCMT ref: 0137D731
                • Part of subcall function 01373E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01373E54
                • Part of subcall function 013811FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,013B0078,?,0137CE91,00000000,?,00000050,013B0078), ref: 01381217
              • _strlen.LIBCMT ref: 0137D752
              • SetDlgItemTextW.USER32(?,013AD154,?), ref: 0137D7B2
              • GetWindowRect.USER32(?,?), ref: 0137D7EC
              • GetClientRect.USER32(?,?), ref: 0137D7F8
              • GetWindowLongW.USER32(?,000000F0), ref: 0137D896
              • GetWindowRect.USER32(?,?), ref: 0137D8C3
              • SetWindowTextW.USER32(?,?), ref: 0137D906
              • GetSystemMetrics.USER32(00000008), ref: 0137D90E
              • GetWindow.USER32(?,00000005), ref: 0137D919
              • GetWindowRect.USER32(00000000,?), ref: 0137D946
              • GetWindow.USER32(00000000,00000002), ref: 0137D9B8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
              • String ID: $%s:$CAPTION$d
              • API String ID: 2407758923-2512411981
              • Opcode ID: d61b092ca33554b0104a4862310061b62f015e83ffc44eaa028396d0068039ca
              • Instruction ID: c6b517e22615d66174eb21a0d2ff350861c6a11b761473f192c109a1d7b13ee7
              • Opcode Fuzzy Hash: d61b092ca33554b0104a4862310061b62f015e83ffc44eaa028396d0068039ca
              • Instruction Fuzzy Hash: 27819171108345AFD721DFA8CC88B6FBBEDEF89718F44491DFA8497284D674E8098B52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139B784, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0139B784(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x13add50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E01397A50(_t46);
							E0139B363( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E01397A50(_t47);
							E0139B461( *((intOrPtr*)(_t74 + 0x88)));
						}
						E01397A50( *((intOrPtr*)(_t74 + 0x7c)));
						E01397A50( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E01397A50( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E01397A50( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E01397A50( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E01397A50( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0139B8F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x13ad818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E01397A50(_t31);
							E01397A50( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E01397A50(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E01397A50(_t74);
			}















              0x0139b78c
              0x0139b790
              0x0139b798
              0x0139b7a1
              0x0139b7a6
              0x0139b7ad
              0x0139b7b5
              0x0139b7bd
              0x0139b7c8
              0x0139b7ce
              0x0139b7cf
              0x0139b7d7
              0x0139b7df
              0x0139b7ea
              0x0139b7f0
              0x0139b7f4
              0x0139b7ff
              0x0139b805
              0x0139b7a6
              0x0139b806
              0x0139b80e
              0x0139b821
              0x0139b834
              0x0139b842
              0x0139b84d
              0x0139b852
              0x0139b85b
              0x0139b863
              0x0139b864
              0x0139b86a
              0x0139b86d
              0x0139b870
              0x0139b877
              0x0139b879
              0x0139b87d
              0x0139b885
              0x0139b88c
              0x0139b892
              0x0139b893
              0x0139b893
              0x0139b89a
              0x0139b89c
              0x0139b8a1
              0x0139b8a9
              0x0139b8ae
              0x0139b8af
              0x0139b8af
              0x0139b8b2
              0x0139b8b5
              0x0139b8b8
              0x0139b8bb
              0x0139b8bb
              0x0139b8cd

              APIs
              • ___free_lconv_mon.LIBCMT ref: 0139B7C8
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B380
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B392
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B3A4
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B3B6
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B3C8
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B3DA
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B3EC
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B3FE
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B410
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B422
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B434
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B446
                • Part of subcall function 0139B363: _free.LIBCMT ref: 0139B458
              • _free.LIBCMT ref: 0139B7BD
                • Part of subcall function 01397A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?), ref: 01397A66
                • Part of subcall function 01397A50: GetLastError.KERNEL32(?,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?,?), ref: 01397A78
              • _free.LIBCMT ref: 0139B7DF
              • _free.LIBCMT ref: 0139B7F4
              • _free.LIBCMT ref: 0139B7FF
              • _free.LIBCMT ref: 0139B821
              • _free.LIBCMT ref: 0139B834
              • _free.LIBCMT ref: 0139B842
              • _free.LIBCMT ref: 0139B84D
              • _free.LIBCMT ref: 0139B885
              • _free.LIBCMT ref: 0139B88C
              • _free.LIBCMT ref: 0139B8A9
              • _free.LIBCMT ref: 0139B8C1
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: e10de11e90e07f617408744001474b19ac7ad0f0784473f41dfd4f5634f123be
              • Instruction ID: 455a00701b1656aa5f038c3e07e52f952f0b46cc4c2039122f146b65935f2b67
              • Opcode Fuzzy Hash: e10de11e90e07f617408744001474b19ac7ad0f0784473f41dfd4f5634f123be
              • Instruction Fuzzy Hash: 763170315043429FFF21AA7DE844F5BBBE8EF05258F145429E159DB294DF34A9408B18
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C343, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138C343(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E0138D940();
				_t10 = E0138952A(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E01381410( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E0138958C(_v20);
							SendMessageW(_t34, 0x172, 0, E0138975D(_t29, _t45, _t28, E01389549(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}















              0x0138c343
              0x0138c343
              0x0138c34b
              0x0138c350
              0x0138c357
              0x0138c42e
              0x0138c42e
              0x0138c364
              0x0138c36a
              0x0138c36c
              0x0138c36e
              0x0138c373
              0x0138c429
              0x00000000
              0x0138c42a
              0x0138c37a
              0x0138c393
              0x0138c3ac
              0x0138c3ce
              0x0138c3d2
              0x0138c3db
              0x0138c3e4
              0x0138c402
              0x0138c409
              0x0138c409
              0x0138c3d2
              0x0138c412
              0x0138c418
              0x0138c41d
              0x0138c41f
              0x0138c422
              0x00000000
              0x00000000
              0x0138c422
              0x00000000
              0x0138c41d
              0x00000000

              APIs
              • GetWindow.USER32(?,00000005), ref: 0138C364
              • GetClassNameW.USER32(00000000,?,00000800), ref: 0138C393
                • Part of subcall function 01381410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0137ACFE,?,?,?,0137ACAD,?,-00000002,?,00000000,?), ref: 01381426
              • GetWindowLongW.USER32(00000000,000000F0), ref: 0138C3B1
              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0138C3C8
              • GetObjectW.GDI32(00000000,00000018,?), ref: 0138C3DB
                • Part of subcall function 0138958C: GetDC.USER32(00000000), ref: 01389598
                • Part of subcall function 0138958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 013895A7
                • Part of subcall function 0138958C: ReleaseDC.USER32(00000000,00000000), ref: 013895B5
                • Part of subcall function 01389549: GetDC.USER32(00000000), ref: 01389555
                • Part of subcall function 01389549: GetDeviceCaps.GDI32(00000000,00000058), ref: 01389564
                • Part of subcall function 01389549: ReleaseDC.USER32(00000000,00000000), ref: 01389572
              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0138C402
              • DeleteObject.GDI32(00000000), ref: 0138C409
              • GetWindow.USER32(00000000,00000002), ref: 0138C412
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
              • String ID: STATIC
              • API String ID: 1444658586-1882779555
              • Opcode ID: 2576606a1dd9d7b5a84a5fc1fc46b0121502279412be4e9139545d13cb08d7be
              • Instruction ID: 0bef5d0b867b5e3445e31c98f057075efb378118282c3426c35c29dfb5e17006
              • Opcode Fuzzy Hash: 2576606a1dd9d7b5a84a5fc1fc46b0121502279412be4e9139545d13cb08d7be
              • Instruction Fuzzy Hash: 0721AE72540315BBEB227BBC8C4AFFF7A2CEB55708F409021FA05B7085CB644A8687B0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01398422, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E01398422(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x13a4be0) {
					E01397A50(_t52);
					_t26 = _a4;
				}
				E01397A50( *((intOrPtr*)(_t26 + 0x3c)));
				E01397A50( *((intOrPtr*)(_a4 + 0x30)));
				E01397A50( *((intOrPtr*)(_a4 + 0x34)));
				E01397A50( *((intOrPtr*)(_a4 + 0x38)));
				E01397A50( *((intOrPtr*)(_a4 + 0x28)));
				E01397A50( *((intOrPtr*)(_a4 + 0x2c)));
				E01397A50( *((intOrPtr*)(_a4 + 0x40)));
				E01397A50( *((intOrPtr*)(_a4 + 0x44)));
				E01397A50( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E013982E8(5,  &_v8);
				_v8 =  &_a4;
				return E01398338(4,  &_v8);
			}




              0x01398428
              0x0139842b
              0x01398433
              0x01398436
              0x0139843b
              0x0139843e
              0x01398442
              0x0139844d
              0x01398458
              0x01398463
              0x0139846e
              0x01398479
              0x01398484
              0x0139848f
              0x0139849d
              0x013984a5
              0x013984ae
              0x013984b6
              0x013984ca

              APIs
              • _free.LIBCMT ref: 01398436
                • Part of subcall function 01397A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?), ref: 01397A66
                • Part of subcall function 01397A50: GetLastError.KERNEL32(?,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?,?), ref: 01397A78
              • _free.LIBCMT ref: 01398442
              • _free.LIBCMT ref: 0139844D
              • _free.LIBCMT ref: 01398458
              • _free.LIBCMT ref: 01398463
              • _free.LIBCMT ref: 0139846E
              • _free.LIBCMT ref: 01398479
              • _free.LIBCMT ref: 01398484
              • _free.LIBCMT ref: 0139848F
              • _free.LIBCMT ref: 0139849D
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 3d0d1a9a7ed6c15e7049aa7c3f6ee34999ad55930ac3806bda7f80fd79ff2d5b
              • Instruction ID: 331d461b10ec034d177f01dd7d16e8956fb2bf8f5b1d4629145ffa100b30a6c7
              • Opcode Fuzzy Hash: 3d0d1a9a7ed6c15e7049aa7c3f6ee34999ad55930ac3806bda7f80fd79ff2d5b
              • Instruction Fuzzy Hash: 4011B376120109FFDF01EFA8C841CDE3BB9EF19294B4191A5FA198F261DA35EB509F84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137200C, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E0137200C(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0138D940();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0137C39E(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0137C39E(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0137C39E(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0137C39E(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0137C39E(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0137C39E(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0137C39E(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0137C251(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E01373E41(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E01373DEC(_t257, _t240 + 0x28, _t167);
												}
												E0137C300(_t318, _t240 + 0x10a1, 0x10);
												E0137C300(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0137C300(_t318, _t240 + 0x10c2, 8);
													E0137C300(_t318, _t344 + 0x30, 4);
													E0137F524(_t344 + 0x58);
													E0137F56A(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0137F435(_t344 + 0x5c);
													_t161 = E0138F3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0138F3CA(_t325, 0x13a2398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E01373E41(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E01373DEC(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0137C39E(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0137C300(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0137C39E(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E01380A64(_t240 + 0x1040, _t315, E0137C2E0(_t278, __eflags), _t315);
													} else {
														E01380A25(_t240 + 0x1040, _t315, E0137C29E(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E01380A64(_t240 + 0x1048, _t315, E0137C2E0(_t275, __eflags), _t315);
													} else {
														E01380A25(_t240 + 0x1048, _t315, E0137C29E(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E01380A64(_t240 + 0x1050, _t315, E0137C2E0(_t272, __eflags), _t315);
													} else {
														E01380A25(_t240 + 0x1050, _t315, E0137C29E(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0137C29E(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E013806D0(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0137C29E(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E013806D0(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0137C29E(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E013806D0(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0137C39E(_t315);
												__eflags = E0137C39E(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E01373E41(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0137FA89(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0137C39E(_t315);
											 *(_t240 + 0x2104) = E0137C39E(_t315) & 0x00000001;
											_t331 = E0137C39E(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0137C300(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0137B9DE(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E01381094();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0137C39E(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0137C39E(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0137C300(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0137C39E(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0137C300(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0137C39E(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0137C39E(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E01371EDE(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}





























































              0x01372011
              0x01372017
              0x0137201e
              0x01372022
              0x01372027
              0x01372031
              0x01372688
              0x0137268f
              0x0137268f
              0x01372037
              0x01372039
              0x0137203f
              0x01372046
              0x0137204f
              0x01372051
              0x01372056
              0x01372058
              0x0137205a
              0x00000000
              0x00000000
              0x0137206d
              0x01372070
              0x01372072
              0x00000000
              0x00000000
              0x01372078
              0x0137207a
              0x00000000
              0x0137208a
              0x0137208a
              0x0137208f
              0x01372093
              0x01372098
              0x0137209b
              0x0137209d
              0x0137209f
              0x013720a1
              0x013720a5
              0x013720a9
              0x00000000
              0x013720b9
              0x013720bd
              0x013720ce
              0x013720d2
              0x013720d7
              0x013720dd
              0x013720e1
              0x013720ea
              0x01372102
              0x01372104
              0x01372107
              0x01372107
              0x0137210a
              0x0137210a
              0x01372110
              0x01372114
              0x0137211d
              0x01372135
              0x01372137
              0x0137213a
              0x0137213a
              0x0137211d
              0x0137213d
              0x01372141
              0x01372141
              0x01372149
              0x01372155
              0x01372157
              0x00000000
              0x01372168
              0x01372168
              0x0137216b
              0x0137251a
              0x0137251f
              0x01372521
              0x01372551
              0x0137255f
              0x01372567
              0x01372572
              0x01372575
              0x0137257b
              0x0137257e
              0x0137258d
              0x01372592
              0x01372596
              0x0137259a
              0x013725a2
              0x013725a2
              0x013725b2
              0x013725c2
              0x013725c7
              0x013725ce
              0x013725d6
              0x013725df
              0x013725ed
              0x013725f7
              0x01372604
              0x0137260d
              0x01372613
              0x01372624
              0x01372629
              0x0137262e
              0x01372632
              0x01372636
              0x0137263c
              0x01372646
              0x0137264b
              0x0137264e
              0x01372650
              0x01372652
              0x01372652
              0x01372650
              0x0137263c
              0x01372658
              0x0137265f
              0x01372669
              0x01372523
              0x01372530
              0x01372535
              0x01372539
              0x0137253d
              0x01372545
              0x01372545
              0x00000000
              0x01372521
              0x01372171
              0x01372174
              0x013724f3
              0x013724f8
              0x013724fa
              0x00000000
              0x00000000
              0x01372500
              0x01372508
              0x01372512
              0x013721c9
              0x013721cb
              0x00000000
              0x013721cb
              0x0137217a
              0x0137217d
              0x01372374
              0x01372376
              0x00000000
              0x00000000
              0x0137237c
              0x01372387
              0x01372389
              0x0137238e
              0x01372392
              0x01372394
              0x0137239a
              0x0137239e
              0x0137239e
              0x013723a1
              0x013723a5
              0x013723a7
              0x013723a9
              0x013723ab
              0x013723cf
              0x013723ad
              0x013723bb
              0x013723bb
              0x013723d4
              0x013723d8
              0x013723d8
              0x013723dc
              0x013723dc
              0x013723df
              0x013723e3
              0x013723e5
              0x013723e7
              0x013723e9
              0x0137240d
              0x013723eb
              0x013723f9
              0x013723f9
              0x013723e9
              0x01372412
              0x01372418
              0x01372418
              0x0137241b
              0x0137241f
              0x01372421
              0x01372426
              0x01372428
              0x0137244c
              0x0137242a
              0x01372438
              0x01372438
              0x01372451
              0x01372451
              0x01372455
              0x0137245a
              0x01372460
              0x01372462
              0x01372468
              0x0137246d
              0x01372496
              0x0137249b
              0x0137246f
              0x01372471
              0x01372476
              0x0137247b
              0x01372480
              0x01372482
              0x01372484
              0x0137248f
              0x0137248f
              0x01372484
              0x013724a0
              0x013724a5
              0x013724ae
              0x013724b0
              0x013724b2
              0x013724bd
              0x013724bd
              0x013724b2
              0x013724c2
              0x013724c7
              0x013724d4
              0x013724d6
              0x013724d8
              0x013724e7
              0x013724e7
              0x013724d8
              0x013724c7
              0x01372462
              0x00000000
              0x0137245a
              0x0137237e
              0x01372381
              0x00000000
              0x00000000
              0x00000000
              0x01372381
              0x01372183
              0x01372186
              0x01372317
              0x01372319
              0x00000000
              0x00000000
              0x0137231f
              0x0137232a
              0x0137232c
              0x01372338
              0x0137233a
              0x0137234a
              0x01372354
              0x01372359
              0x0137236a
              0x0137236a
              0x00000000
              0x0137233a
              0x01372321
              0x01372324
              0x00000000
              0x00000000
              0x00000000
              0x01372324
              0x0137218c
              0x0137218f
              0x013722a2
              0x013722b1
              0x013722bc
              0x013722be
              0x013722c6
              0x013722cc
              0x013722d9
              0x013722de
              0x013722de
              0x013722f4
              0x013722f9
              0x01372304
              0x0137230c
              0x0137230d
              0x00000000
              0x0137230d
              0x01372195
              0x01372198
              0x013721d7
              0x013721de
              0x013721e5
              0x013721ee
              0x013721fc
              0x01372202
              0x01372209
              0x0137220d
              0x0137220f
              0x01372218
              0x0137221f
              0x01372221
              0x01372223
              0x01372223
              0x01372229
              0x0137222e
              0x01372232
              0x01372232
              0x01372236
              0x01372238
              0x01372241
              0x01372248
              0x0137224a
              0x0137224c
              0x0137224c
              0x0137224f
              0x01372258
              0x0137225d
              0x0137225d
              0x01372261
              0x01372268
              0x01372271
              0x01372271
              0x01372277
              0x0137227e
              0x01372287
              0x01372287
              0x0137228d
              0x00000000
              0x0137228d
              0x0137219d
              0x00000000
              0x00000000
              0x013721a7
              0x013721b5
              0x013721b5
              0x013721b8
              0x013721c1
              0x013721c6
              0x013721c7
              0x00000000
              0x013721c7
              0x01372670
              0x01372670
              0x01372670
              0x01372674
              0x0137267a
              0x0137267f
              0x00000000
              0x00000000
              0x00000000
              0x0137267f
              0x01372149
              0x013720a9
              0x0137207a
              0x01372687

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: ;%u$x%u$xc%u
              • API String ID: 0-2277559157
              • Opcode ID: 6411478be168b07beb6af7a3ed49d869b511e6247543bf538eb57541ef2da105
              • Instruction ID: 79c80675958dacf4afb393fe7a3e6850f4b6e261d162c5078bfabf4debb077e2
              • Opcode Fuzzy Hash: 6411478be168b07beb6af7a3ed49d869b511e6247543bf538eb57541ef2da105
              • Instruction Fuzzy Hash: EEF14C716043425BEB35EF2C8884BFF7BD9AFA431CF08056DED859B286CA6C9544C761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138A3E1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E0138A3E1(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E013712D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E0138C343(__edx, __eflags, __fp0, _t35);
					_t9 =  *0x13bb704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0x13c5d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x13cde1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0x13adf40(0xf));
					 *0x13adf3c(_t35);
					_t31 =  *0x13b75ec; // 0x0
					E01388FE6(_t31, __eflags,  *0x13b0064, _t38,  *0x13cde18, 0, 0);
					L01392B4E( *0x13cde1c);
					L01392B4E( *0x13cde18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}













              0x0138a3e2
              0x0138a3e8
              0x0138a3ef
              0x0138a408
              0x0138a4ee
              0x0138a4f0
              0x00000000
              0x0138a4f0
              0x0138a40e
              0x0138a414
              0x0138a441
              0x0138a446
              0x0138a451
              0x0138a453
              0x0138a45e
              0x0138a45e
              0x0138a460
              0x0138a465
              0x0138a467
              0x0138a473
              0x0138a473
              0x0138a479
              0x0138a47e
              0x0138a480
              0x0138a484
              0x0138a484
              0x0138a499
              0x0138a4a1
              0x0138a4b3
              0x0138a4b6
              0x0138a4bc
              0x0138a4d1
              0x0138a4dc
              0x0138a4e7
              0x00000000
              0x0138a4ed
              0x0138a419
              0x0138a428
              0x00000000
              0x0138a428
              0x0138a41e
              0x0138a421
              0x0138a43c
              0x0138a430
              0x0138a431
              0x00000000
              0x0138a431
              0x0138a426
              0x0138a42f
              0x00000000
              0x0138a42f
              0x00000000

              APIs
                • Part of subcall function 013712D7: GetDlgItem.USER32(00000000,00003021), ref: 0137131B
                • Part of subcall function 013712D7: SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              • EndDialog.USER32(?,00000001), ref: 0138A431
              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0138A45E
              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0138A473
              • SetWindowTextW.USER32(?,?), ref: 0138A484
              • GetDlgItem.USER32(?,00000065), ref: 0138A48D
              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0138A4A1
              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0138A4B3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Item$TextWindow$Dialog
              • String ID: LICENSEDLG
              • API String ID: 3214253823-2177901306
              • Opcode ID: 66682d583600dfff7c8ee26e4cc44cb38981af10a4f2ac424237d9c71c9799bd
              • Instruction ID: 6e524186f81d8a0f5febc532ffc562bd2939732a00dd6411429d2f97c1648f99
              • Opcode Fuzzy Hash: 66682d583600dfff7c8ee26e4cc44cb38981af10a4f2ac424237d9c71c9799bd
              • Instruction Fuzzy Hash: C821B2322443097BEA316BBDEC89E7B7B6CEB56B89F414015F700B3684CB96A8019771
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379268, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E01379268(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E0138D870(E013A1336, _t85);
				E0138D940();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E0137B943(_t92, _t85 - 0x4030);
							_t78 = E0137B943(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E01381410( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E01381410(E0137B943(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0137FAB1(_t85 - 0x100c, _t83, 0x800);
											E01373E41(E0137B943(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E01379E6B(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0137FAB1(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E0137B9B9(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E0137943C(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E01379E6B(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E01379528(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E013794DA(_t85 - 0x2030);
												E01379621(_t85 - 0x2030);
											}
											E0137946E(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}
















              0x0137926d
              0x01379277
              0x0137927e
              0x01379281
              0x01379290
              0x01379298
              0x01379427
              0x01379427
              0x01379427
              0x013792a6
              0x013792af
              0x013792b7
              0x00000000
              0x013792bd
              0x013792bd
              0x013792bf
              0x00000000
              0x013792c5
              0x013792d1
              0x013792e0
              0x013792e2
              0x013792e7
              0x00000000
              0x013792ed
              0x013792f1
              0x013792f6
              0x013792f8
              0x00000000
              0x013792fe
              0x01379306
              0x0137930d
              0x00000000
              0x01379313
              0x01379313
              0x0137931a
              0x0137931c
              0x0137931c
              0x0137931f
              0x00000000
              0x00000000
              0x0137932e
              0x0137934b
              0x01379350
              0x01379361
              0x0137936e
              0x01379363
              0x01379363
              0x01379365
              0x01379365
              0x01379375
              0x0137937e
              0x00000000
              0x01379380
              0x01379380
              0x01379383
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01379383
              0x00000000
              0x0137937e
              0x01379397
              0x0137939c
              0x013793a7
              0x013793c4
              0x00000000
              0x013793c6
              0x013793cc
              0x013793d2
              0x013793dc
              0x013793de
              0x013793e0
              0x013793ec
              0x013793ec
              0x013793fc
              0x01379400
              0x01379408
              0x01379413
              0x01379413
              0x0137941e
              0x01379423
              0x01379423
              0x013793c4
              0x0137930d
              0x013792f8
              0x013792e7
              0x013792bf
              0x013792b7
              0x01379429
              0x0137942f
              0x01379439

              APIs
              • __EH_prolog.LIBCMT ref: 0137926D
              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 01379290
              • GetShortPathNameW.KERNEL32 ref: 013792AF
                • Part of subcall function 01381410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0137ACFE,?,?,?,0137ACAD,?,-00000002,?,00000000,?), ref: 01381426
              • _swprintf.LIBCMT ref: 0137934B
                • Part of subcall function 01373E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01373E54
              • MoveFileW.KERNEL32(?,?), ref: 013793C0
              • MoveFileW.KERNEL32(?,?), ref: 013793FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
              • String ID: rtmp%d
              • API String ID: 2111052971-3303766350
              • Opcode ID: a20b7143dd4d5ce08ed0676e0b77904742af353126e644e40130acc2bc131250
              • Instruction ID: 125c2a059c1d2fff980dc3b4582c4b3854dfe13f255b5ecde48c26dd216b4b87
              • Opcode Fuzzy Hash: a20b7143dd4d5ce08ed0676e0b77904742af353126e644e40130acc2bc131250
              • Instruction Fuzzy Hash: 4441A07681121AA6DF30EBA8CC44FEE777CBF5529CF0446A5A604A7141EA389B44CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013806E0, Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E013806E0(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0138DEE0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0137A995() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0x13ad084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E01380849(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E0138DF50( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}




















              0x013806e0
              0x013806e7
              0x013806f8
              0x013806fc
              0x01380710
              0x0138072e
              0x0138073b
              0x01380751
              0x0138075d
              0x0138076b
              0x01380773
              0x01380779
              0x0138077f
              0x01380783
              0x01380785
              0x01380712
              0x0138071c
              0x0138071c
              0x01380793
              0x01380795
              0x013807a0
              0x013807a1
              0x013807a6
              0x013807ab
              0x013807b0
              0x013807b8
              0x013807c0
              0x013807c8
              0x013807ce
              0x013807d0
              0x013807d3
              0x013807d6
              0x013807db
              0x013807df
              0x013807e4
              0x013807e5
              0x013807ec
              0x013807ef
              0x013807f2
              0x013807f5
              0x013807f8
              0x00000000
              0x00000000
              0x00000000
              0x013807f8
              0x013807fa
              0x013807fa
              0x01380802
              0x0138080e
              0x0138080e
              0x0138081d
              0x01380823
              0x0138082c

              APIs
              • __aulldiv.LIBCMT ref: 013806F3
                • Part of subcall function 0137A995: GetVersionExW.KERNEL32(?), ref: 0137A9BA
              • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0138071C
              • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0138072E
              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0138073B
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 01380751
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0138075D
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 01380793
              • __aullrem.LIBCMT ref: 0138081D
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
              • String ID:
              • API String ID: 1247370737-0
              • Opcode ID: a6e50849f6fac1adc8058bc54807f0120243ba85616424a682c806df678ab9fb
              • Instruction ID: 982eabf80482afe6610e73b0e02d49a6211ee7a64b9c4ca21b26fe155f387b55
              • Opcode Fuzzy Hash: a6e50849f6fac1adc8058bc54807f0120243ba85616424a682c806df678ab9fb
              • Instruction Fuzzy Hash: 30413CB64083059FC714EF69C88096BFBF9FF88714F444A2EF69692640E735E548CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139E2ED, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E0139E2ED(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x13ad668; // 0x5221689b
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x13d0420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x13d0420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E01399474(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x13d0420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x13d0420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x13d0420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E0139804C( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E0139804C();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0138E203(_t135, _v8 ^ _t136);
			}


































              0x0139e2f5
              0x0139e2fc
              0x0139e2ff
              0x0139e307
              0x0139e30b
              0x0139e317
              0x0139e31a
              0x0139e31d
              0x0139e324
              0x0139e32c
              0x0139e32f
              0x0139e335
              0x0139e33b
              0x0139e340
              0x0139e342
              0x0139e345
              0x0139e34a
              0x0139e354
              0x0139e35b
              0x0139e35e
              0x0139e365
              0x0139e36c
              0x0139e398
              0x0139e3be
              0x0139e3c0
              0x00000000
              0x0139e39a
              0x0139e39d
              0x0139e464
              0x0139e470
              0x0139e47b
              0x0139e480
              0x0139e3a3
              0x0139e3aa
              0x0139e3af
              0x0139e3b5
              0x0139e3bb
              0x00000000
              0x0139e3bb
              0x0139e3b5
              0x0139e39d
              0x0139e36e
              0x0139e372
              0x0139e375
              0x0139e37b
              0x0139e37d
              0x0139e380
              0x0139e384
              0x0139e3c1
              0x0139e3c4
              0x0139e3c5
              0x0139e3ca
              0x0139e3d0
              0x0139e3d6
              0x0139e3e5
              0x0139e3eb
              0x0139e3f1
              0x0139e3f6
              0x0139e412
              0x0139e485
              0x0139e48b
              0x0139e414
              0x0139e414
              0x0139e41c
              0x0139e425
              0x0139e42b
              0x00000000
              0x0139e42d
              0x0139e42f
              0x0139e432
              0x0139e44b
              0x00000000
              0x0139e44d
              0x0139e451
              0x0139e453
              0x0139e456
              0x00000000
              0x0139e456
              0x0139e451
              0x0139e44b
              0x0139e42b
              0x0139e425
              0x0139e412
              0x0139e3f6
              0x0139e3d0
              0x00000000
              0x0139e459
              0x0139e459
              0x0139e48d
              0x0139e49f

              APIs
              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0139EA62,00000000,00000000,00000000,00000000,00000000,01393FBF), ref: 0139E32F
              • __fassign.LIBCMT ref: 0139E3AA
              • __fassign.LIBCMT ref: 0139E3C5
              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0139E3EB
              • WriteFile.KERNEL32(?,00000000,00000000,0139EA62,00000000,?,?,?,?,?,?,?,?,?,0139EA62,00000000), ref: 0139E40A
              • WriteFile.KERNEL32(?,00000000,00000001,0139EA62,00000000,?,?,?,?,?,?,?,?,?,0139EA62,00000000), ref: 0139E443
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID:
              • API String ID: 1324828854-0
              • Opcode ID: eabb00a5cb5a0696dd05e8f43995f3152edaf5a18e48d02595a068343eed5585
              • Instruction ID: d954d4baadb55d389ba275b41b85f69a949ac7ef461ddfe841e5a88e5681490c
              • Opcode Fuzzy Hash: eabb00a5cb5a0696dd05e8f43995f3152edaf5a18e48d02595a068343eed5585
              • Instruction Fuzzy Hash: 24519475A002499FDF14CFA8D885BEEBBF9EF09314F14416AE955F7291D7309940CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138BB5B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              C-Code - Quality: 52%
              			E0138BB5B(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E0137AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0x13ad5f8);
						__ebp - 0x7c84 = E01373E41(0x13b85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E01379E6B(0x13b85fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x13b85fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E0138A156();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E01381410(_t285 - 0xfc8c,  *((intOrPtr*)(0x13ad618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M0138C0D7))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E013895F8(_t285 - 0x7c84, 0x800);
									E0137A188(E0137B625(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E0137A2C2(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E01376EF9(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E0137A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E0137A19E(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E0137B1B7(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E0137AEA5(__eflags, _t285 - 0x103c, _t282);
										_t284 = E01392B33(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E0137B5E5(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E01392B33(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E0138E920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0x13adef4();
											goto L18;
										}
										L15:
										_t262 = E01392B33(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E0137A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E01373E41(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0x13cce0c;
										__eflags =  *0x13cce0c;
										__ebx = __ebx & 0xffffff00 |  *0x13cce0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0x13cce0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E0138A2AE(__ecx, __edx, __eflags);
											__eax =  *0x13cce0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E01392B33(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x13cce0c);
										__eax = E01392B5E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0x13cce0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E013966ED(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L01392B4E(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0x13b9602 - __di;
									if( *0x13b9602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E01392B33(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E0137FAB1(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E01390D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0x13b9602;
												E0137FAB1(0x13b9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E01389FFC(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0x13adf7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x13b9602); // executed
												__eax = __ebp - 0x103c;
												__eax = E01392B69(__ebp - 0x103c, 0x13b9602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x13adea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0x13adea4();
													_push( *(__ebp - 0x18));
													 *0x13ade84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E01392B33(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E0137FA89(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E01392B33(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E0137FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E0137FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0x13b95fc - 1;
									__eflags = __eax - 0x13b95fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0x13b75d2 = __cl;
										 *0x13b75d3 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x13b75d2 = __cl;
										L81:
										 *0x13b75d3 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0x13b75d2 = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E01392B69(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E0139668C(__ebx, __edi);
											_pop(__ecx);
											 *0x13cde1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x13cde18 = E0138A2AE(__ecx, __edx, __eflags);
									}
									 *0x13c5d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0x13cde20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E0138C431();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E013959C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x13cad0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E0137FAB1();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0x13c9d0a);
											_push(__eax);
											__eax = E0137FAB1();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x13cbd0a);
											_push(__eax);
											__eax = E0137FAB1();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E01394D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E01379E6B(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E01379E6B(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E01394D7E();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E01394D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E01390BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E01394D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E0137AED7();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E0137AED7();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E0138A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E0137AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E0137FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E0137AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E01394D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E0137FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E0137B153(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E0137FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E01379D3A(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E01394D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E0137B98D(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E01389D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E01389450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0x13adef8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x13b9600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E013959C0( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x13b75d4 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x13b75d5 = 1;
										} else {
											__eax = 0;
											 *0x13b75d4 = __al;
											 *0x13b75d5 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0x13cde21 = 1;
									__eax = __eax + 0x13cde21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0x13ad5fc = E013813FC();
									}
									goto L164;
							}
							L2:
							_t210 = E01389E24(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0x13c5d02;
					if( *0x13c5d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E01390BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E0137FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E0137FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E01389C4F(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E01389735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0x13b75d7 = 1;
							 *0x13b85fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E0137FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0x13b95fc;
						if( *0x13b95fc == 0) {
							 *0x13b95fc = 2;
						}
						 *0x13b85f8 = 1;
					}
					goto L164;
				}
			}










              0x0138bb5b
              0x0138bb5b
              0x0138bb5b
              0x0138bb5b
              0x0138bb5e
              0x00000000
              0x00000000
              0x0138bb64
              0x0138bb64
              0x0138bb6a
              0x0138bb78
              0x0138bb84
              0x0138bb86
              0x0138bb88
              0x0138bb8d
              0x0138bb8d
              0x0138bb8d
              0x0138bba5
              0x0138bbb2
              0x0138bbb7
              0x0138bbb9
              0x00000000
              0x00000000
              0x0138bb8b
              0x0138bb8b
              0x0138bb8b
              0x0138bb8c
              0x0138bb8c
              0x0138bbbb
              0x0138bbc5
              0x0138bbcb
              0x0138bbd3
              0x0138c093
              0x0138c093
              0x0138c093
              0x0138c098
              0x0138c09c
              0x0138c0a0
              0x0138c0a7
              0x0138c0ae
              0x0138c0b1
              0x0138c0b6
              0x0138c0b9
              0x0138c0be
              0x0138b51d
              0x0138b523
              0x0138b529
              0x0138b529
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0138b53e
              0x0138b555
              0x0138b559
              0x00000000
              0x0138b55b
              0x00000000
              0x0138b55b
              0x0138b559
              0x0138b560
              0x0138b563
              0x00000000
              0x00000000
              0x0138b569
              0x0138b569
              0x00000000
              0x0138b570
              0x0138b570
              0x0138b573
              0x00000000
              0x00000000
              0x0138b579
              0x0138b579
              0x0138b586
              0x0138b5ac
              0x0138b5b7
              0x0138b5c1
              0x0138b5cc
              0x0138b5d1
              0x0138b5d9
              0x0138b5df
              0x0138b5e4
              0x0138b5e6
              0x0138b74b
              0x0138b74b
              0x0138b755
              0x00000000
              0x0138b5ec
              0x0138b5f2
              0x0138b614
              0x0138b623
              0x0138b630
              0x0138b641
              0x0138b644
              0x0138b647
              0x0138b65a
              0x0138b661
              0x0138b666
              0x0138b668
              0x00000000
              0x00000000
              0x0138b66e
              0x0138b675
              0x0138b67a
              0x0138b67f
              0x0138b68b
              0x0138b690
              0x0138b693
              0x0138b69a
              0x0138b69c
              0x0138b69d
              0x0138b6a7
              0x0138b6ad
              0x0138b6ae
              0x00000000
              0x0138b6ae
              0x0138b649
              0x0138b650
              0x0138b656
              0x0138b658
              0x00000000
              0x00000000
              0x00000000
              0x0138b6b4
              0x0138b6bb
              0x0138b6bd
              0x0138b6c0
              0x0138b730
              0x0138b730
              0x0138b738
              0x0138b73e
              0x0138b743
              0x0138b745
              0x0138b5f4
              0x0138b5f9
              0x0138b601
              0x0138b607
              0x0138b60e
              0x00000000
              0x00000000
              0x00000000
              0x0138b60e
              0x00000000
              0x0138b745
              0x0138b6c2
              0x0138b6c9
              0x0138b6cf
              0x0138b6d1
              0x00000000
              0x0138b6d3
              0x0138b6d3
              0x0138b6d5
              0x0138b6d6
              0x0138b6da
              0x0138b6f2
              0x0138b6f7
              0x0138b701
              0x0138b703
              0x0138b706
              0x0138b6d8
              0x0138b6d8
              0x0138b6d9
              0x00000000
              0x0138b708
              0x0138b716
              0x0138b71c
              0x0138b71e
              0x0138b72a
              0x0138b72a
              0x00000000
              0x0138b71e
              0x0138b706
              0x0138b6d1
              0x00000000
              0x0138b75f
              0x0138b75f
              0x0138b761
              0x0138b767
              0x0138b76c
              0x0138b76e
              0x0138b771
              0x0138b773
              0x0138b780
              0x0138b785
              0x0138b786
              0x0138b786
              0x0138b787
              0x0138b787
              0x0138b78a
              0x0138b78c
              0x0138b796
              0x0138b799
              0x0138b79f
              0x0138b7a1
              0x0138b78e
              0x0138b78e
              0x0138b78e
              0x0138b7a6
              0x0138b7a8
              0x0138b7b1
              0x0138b7b1
              0x0138b7b3
              0x0138b7b4
              0x0138b7b9
              0x0138b7c2
              0x0138b7c3
              0x0138b7c9
              0x0138b7ce
              0x0138b7d1
              0x0138b7d3
              0x0138b7d5
              0x0138b7da
              0x0138b7dc
              0x0138b7de
              0x0138b7de
              0x0138b7e0
              0x0138b7e0
              0x0138b7e5
              0x0138b7ea
              0x0138b7eb
              0x0138b7eb
              0x0138b7ec
              0x0138b7ee
              0x0138b7f5
              0x0138b7fa
              0x0138b7ee
              0x00000000
              0x00000000
              0x0138b800
              0x0138b800
              0x0138b802
              0x0138b812
              0x0138b812
              0x00000000
              0x00000000
              0x0138b81d
              0x0138b81d
              0x0138b81f
              0x00000000
              0x00000000
              0x0138b825
              0x0138b825
              0x0138b82c
              0x00000000
              0x00000000
              0x0138b832
              0x0138b832
              0x0138b834
              0x0138b83a
              0x0138b83c
              0x0138b843
              0x0138b844
              0x0138b84b
              0x0138b84d
              0x0138b84d
              0x0138b854
              0x0138b859
              0x0138b85f
              0x0138b861
              0x00000000
              0x0138b867
              0x0138b867
              0x0138b867
              0x0138b86a
              0x0138b86c
              0x0138b86d
              0x0138b870
              0x0138b899
              0x0138b899
              0x0138b89c
              0x0138b981
              0x0138b98a
              0x0138b98f
              0x0138b98f
              0x0138b991
              0x0138b991
              0x0138b993
              0x0138b995
              0x0138b99c
              0x0138b9a1
              0x0138b9a2
              0x0138b9a3
              0x0138b9a5
              0x0138b9a7
              0x0138b9ab
              0x0138b9ad
              0x0138b9ad
              0x0138b9af
              0x0138b9af
              0x0138b9ab
              0x0138b9b3
              0x0138b9b9
              0x0138b9c6
              0x0138b9cd
              0x0138b9dd
              0x0138b9e7
              0x0138b9ef
              0x0138b9fb
              0x0138b9fd
              0x0138ba05
              0x0138ba0a
              0x0138ba0b
              0x0138ba0c
              0x0138ba0e
              0x0138ba1b
              0x0138ba24
              0x0138ba24
              0x00000000
              0x0138ba0e
              0x0138b8a2
              0x0138b8a2
              0x0138b8a5
              0x0138b8b2
              0x0138b8b2
              0x0138b8b5
              0x0138b8b7
              0x0138b8b8
              0x0138b8ba
              0x0138b8bb
              0x0138b8c0
              0x0138b8c5
              0x0138b8cb
              0x0138b8cd
              0x0138b8cf
              0x0138b8d2
              0x0138b8d9
              0x0138b8da
              0x0138b8e0
              0x0138b8e1
              0x0138b8e4
              0x0138b8e5
              0x0138b8e6
              0x0138b8eb
              0x0138b8ee
              0x0138b8f4
              0x0138b8fd
              0x0138b900
              0x0138b905
              0x0138b907
              0x0138b909
              0x0138b90b
              0x0138b90b
              0x0138b90d
              0x0138b90d
              0x0138b90f
              0x0138b90f
              0x0138b917
              0x0138b91e
              0x0138b920
              0x0138b927
              0x0138b92d
              0x0138b92f
              0x0138b930
              0x0138b938
              0x0138b947
              0x0138b947
              0x0138b938
              0x0138b952
              0x0138b954
              0x0138b963
              0x0138b969
              0x0138b96f
              0x0138b97a
              0x0138b97a
              0x00000000
              0x0138b96f
              0x0138b8a7
              0x0138b8a7
              0x0138b8ac
              0x00000000
              0x00000000
              0x00000000
              0x0138b8ac
              0x0138b872
              0x0138b872
              0x0138b876
              0x00000000
              0x00000000
              0x0138b878
              0x0138b878
              0x0138b87b
              0x0138b87d
              0x0138b880
              0x00000000
              0x00000000
              0x0138b886
              0x0138b88f
              0x00000000
              0x0138b88f
              0x00000000
              0x0138ba2b
              0x0138ba2b
              0x0138ba2c
              0x0138ba31
              0x0138ba33
              0x0138ba36
              0x0138ba36
              0x00000000
              0x0138ba6c
              0x0138ba6c
              0x0138ba73
              0x0138ba75
              0x0138ba75
              0x0138ba77
              0x0138baa6
              0x0138baa6
              0x0138baac
              0x00000000
              0x0138baac
              0x0138ba79
              0x0138ba79
              0x0138ba79
              0x0138ba7c
              0x0138ba95
              0x0138ba95
              0x0138ba9b
              0x0138ba9b
              0x00000000
              0x0138ba9b
              0x0138ba7e
              0x0138ba7e
              0x0138ba7e
              0x0138ba81
              0x00000000
              0x00000000
              0x0138ba83
              0x0138ba83
              0x0138ba83
              0x0138ba86
              0x00000000
              0x00000000
              0x0138ba8c
              0x0138ba8c
              0x00000000
              0x00000000
              0x0138baf9
              0x0138baf9
              0x0138bafc
              0x00000000
              0x00000000
              0x0138bafe
              0x0138bafe
              0x0138bb0a
              0x0138bb0f
              0x0138bb10
              0x0138bb11
              0x0138bb13
              0x00000000
              0x00000000
              0x0138bb15
              0x0138bb15
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0138bd07
              0x0138bd07
              0x0138bd0a
              0x0138bd0c
              0x0138bd13
              0x0138bd15
              0x0138bd1b
              0x0138bd1c
              0x0138bd21
              0x0138bd22
              0x0138bd22
              0x0138bd27
              0x0138bd2a
              0x0138bd30
              0x0138bd30
              0x0138bd35
              0x00000000
              0x00000000
              0x0138bd41
              0x0138bd41
              0x0138bd44
              0x0138bb25
              0x0138bb25
              0x00000000
              0x0138bb25
              0x0138bd4a
              0x0138bd4a
              0x0138bb16
              0x0138bb16
              0x0138bb1c
              0x0138bb1d
              0x0138bb20
              0x00000000
              0x00000000
              0x0138bd51
              0x0138bd51
              0x0138bd54
              0x00000000
              0x00000000
              0x0138bd5a
              0x0138bd5a
              0x0138bd5c
              0x0138bd63
              0x0138bd6b
              0x0138bd71
              0x0138bd76
              0x0138bd79
              0x0138bdae
              0x0138bdb3
              0x0138bdb9
              0x0138bdba
              0x0138bdbf
              0x0138bd7b
              0x0138bd7b
              0x0138bd7e
              0x0138bd84
              0x0138bd9a
              0x0138bd9f
              0x0138bda0
              0x0138bda5
              0x0138bd86
              0x0138bd86
              0x0138bd8b
              0x0138bd8c
              0x0138bd91
              0x0138bd91
              0x0138bd84
              0x0138bdc6
              0x0138bdc8
              0x0138bdcf
              0x0138bddd
              0x0138bde4
              0x0138bde9
              0x0138bdea
              0x0138bdeb
              0x0138bded
              0x0138bdee
              0x0138bdf5
              0x0138be3e
              0x0138be45
              0x0138be4a
              0x0138be4c
              0x00000000
              0x00000000
              0x0138be52
              0x0138be52
              0x0138be54
              0x0138be5a
              0x0138be61
              0x00000000
              0x00000000
              0x0138be63
              0x0138be63
              0x0138be65
              0x0138be66
              0x0138be66
              0x0138be66
              0x0138be69
              0x0138be6c
              0x0138be76
              0x0138be76
              0x0138be78
              0x0138be7a
              0x0138be84
              0x0138be89
              0x0138be8b
              0x0138bec9
              0x0138bec9
              0x0138becc
              0x0138becc
              0x0138bece
              0x0138becf
              0x0138becf
              0x00000000
              0x0138becf
              0x0138be8d
              0x0138be8d
              0x0138be8f
              0x0138be90
              0x0138be92
              0x0138be95
              0x0138beaa
              0x0138beaa
              0x0138beac
              0x0138bead
              0x0138bead
              0x0138bead
              0x0138beb0
              0x0138beb0
              0x0138beb5
              0x0138beb6
              0x0138bebc
              0x0138bebc
              0x0138bebd
              0x0138bec2
              0x0138bec3
              0x0138bec4
              0x00000000
              0x0138bec4
              0x0138be97
              0x0138be97
              0x0138be9e
              0x0138bea1
              0x0138bea2
              0x00000000
              0x0138bea2
              0x0138be6e
              0x0138be6e
              0x0138be70
              0x0138be71
              0x0138be74
              0x00000000
              0x00000000
              0x00000000
              0x0138bed1
              0x0138bed1
              0x0138bed4
              0x0138bed4
              0x0138bed9
              0x0138bedb
              0x0138bedd
              0x0138bedd
              0x0138bedf
              0x0138bedf
              0x00000000
              0x0138bdf7
              0x0138bdf7
              0x0138bdfe
              0x0138be0a
              0x0138be10
              0x0138be11
              0x0138be12
              0x0138be17
              0x0138be1a
              0x0138be1c
              0x0138be22
              0x0138be24
              0x0138be32
              0x0138be37
              0x0138be38
              0x0138be38
              0x0138bee2
              0x0138bee2
              0x0138beea
              0x0138beef
              0x0138bef1
              0x0138bef2
              0x0138bef8
              0x0138bef9
              0x0138beff
              0x0138bf00
              0x0138bf00
              0x0138bf05
              0x0138bf06
              0x0138bf0c
              0x0138bf0d
              0x0138bf13
              0x0138bf14
              0x0138bf19
              0x0138bf21
              0x0138bf2d
              0x0138bf2d
              0x0138bf3a
              0x0138bf3f
              0x0138bf47
              0x0138bf51
              0x0138bf5e
              0x0138bf65
              0x0138bf65
              0x0138bf71
              0x0138bf78
              0x0138bf7d
              0x0138bf85
              0x0138bf8b
              0x0138bf8c
              0x0138bf8d
              0x0138bf8f
              0x0138bf8f
              0x0138bfa4
              0x0138bfa9
              0x0138bfb5
              0x0138bfb7
              0x0138bfc8
              0x0138bfd5
              0x00000000
              0x0138bfb9
              0x0138bfb9
              0x0138bfc4
              0x0138bfc6
              0x0138bfda
              0x0138bfda
              0x0138bfdc
              0x0138bfe2
              0x0138bfe8
              0x0138bff6
              0x0138bffb
              0x0138bffc
              0x0138c004
              0x0138c009
              0x0138c010
              0x0138c016
              0x0138c018
              0x0138c01e
              0x0138c024
              0x0138c026
              0x0138c02f
              0x0138c032
              0x0138c034
              0x0138c03d
              0x0138c040
              0x0138c046
              0x0138c049
              0x0138c052
              0x0138c061
              0x0138c066
              0x0138c06e
              0x0138c070
              0x0138c071
              0x0138c077
              0x0138c078
              0x0138c07a
              0x0138c07f
              0x0138c07f
              0x00000000
              0x0138c06e
              0x00000000
              0x0138bfc6
              0x0138bfb7
              0x00000000
              0x0138c087
              0x0138c087
              0x0138c08a
              0x0138c08c
              0x0138c08c
              0x00000000
              0x00000000
              0x0138bab8
              0x0138bab8
              0x0138bac0
              0x0138bac6
              0x0138bac9
              0x0138baed
              0x0138bacb
              0x0138bacb
              0x0138bace
              0x0138bae1
              0x0138bad0
              0x0138bad0
              0x0138bad2
              0x0138bad7
              0x0138bad7
              0x0138bace
              0x00000000
              0x00000000
              0x0138bb31
              0x0138bb31
              0x0138bb32
              0x0138bb37
              0x0138bb37
              0x0138bb37
              0x0138bb3a
              0x0138bb3f
              0x0138bb45
              0x0138bb45
              0x0138bb4b
              0x0138bb51
              0x0138bb51
              0x00000000
              0x00000000
              0x0138b52a
              0x0138b52c
              0x0138b531
              0x0138b537
              0x0138b53a
              0x00000000
              0x0138b53c
              0x0138b53c
              0x00000000
              0x0138b53c
              0x0138b53a
              0x0138c0c4
              0x0138c0ca
              0x0138c0d4
              0x0138c0d4
              0x0138bbd9
              0x0138bbd9
              0x0138bbe0
              0x00000000
              0x00000000
              0x0138bbe6
              0x0138bbe6
              0x0138bbe8
              0x0138bbef
              0x0138bbf7
              0x0138bbf8
              0x0138bbfd
              0x0138bbfe
              0x0138bbff
              0x0138bc01
              0x0138bc55
              0x0138bc55
              0x0138bc5d
              0x0138bc6b
              0x0138bc7c
              0x0138bc8a
              0x0138bc8a
              0x0138bc96
              0x0138bc9b
              0x0138bc9d
              0x0138bcad
              0x0138bcb7
              0x0138bcbc
              0x0138bcbf
              0x00000000
              0x0138bcc5
              0x0138bcc5
              0x0138bcca
              0x0138bcca
              0x0138bccc
              0x0138bcd3
              0x0138bcd9
              0x00000000
              0x0138bcd9
              0x0138bcbf
              0x0138bc03
              0x0138bc05
              0x0138bc07
              0x0138bc0e
              0x00000000
              0x00000000
              0x0138bc10
              0x0138bc10
              0x0138bc12
              0x0138bc18
              0x0138bc18
              0x0138bc18
              0x0138bc1c
              0x00000000
              0x00000000
              0x0138bc1e
              0x0138bc1e
              0x0138bc1f
              0x0138bc25
              0x0138bc28
              0x0138bc2a
              0x0138bc2d
              0x00000000
              0x00000000
              0x0138bc2f
              0x00000000
              0x0138bc2f
              0x0138bc31
              0x0138bc3c
              0x0138bc46
              0x0138bc4b
              0x0138bc4b
              0x0138bc4d
              0x00000000
              0x0138bcdf
              0x0138bcdf
              0x0138bce2
              0x0138bce8
              0x0138bcef
              0x0138bcf1
              0x0138bcf1
              0x0138bcfb
              0x0138bcfb
              0x00000000
              0x0138bce2

              APIs
              • GetTempPathW.KERNEL32(00000800,?), ref: 0138BB71
              • _swprintf.LIBCMT ref: 0138BBA5
                • Part of subcall function 01373E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01373E54
              • SetDlgItemTextW.USER32(?,00000066,013B85FA), ref: 0138BBC5
              • _wcschr.LIBVCRUNTIME ref: 0138BBF8
              • EndDialog.USER32(?,00000001), ref: 0138BCD9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
              • String ID: %s%s%u
              • API String ID: 2892007947-1360425832
              • Opcode ID: 7a19abeb0ba480c0b691cfe89bee12d4d054beec22cb64225b85470db5ea1f98
              • Instruction ID: 17bf576a88fb8a88879d587af38335b3ec2d84d94c122f7f5db7cecaf4b2aca9
              • Opcode Fuzzy Hash: 7a19abeb0ba480c0b691cfe89bee12d4d054beec22cb64225b85470db5ea1f98
              • Instruction Fuzzy Hash: 7C41107290071AAEEF35EB64CC84FEEB7BCEB04358F4040A6E519E6145EF7496848F61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013888BF, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E013888BF(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E013887A5(_t60);
				_push(0x200 + E01392B33(_t60) * 2);
				_t24 = E01392B53(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E01394D7E(_t64, L"<html>");
				E013966ED(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E013966ED(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E01381432(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E013966ED(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E013966ED(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E01388ACA(_t58, _t79);
					}
					_t69 = 9 + E01392B33(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L01392B4E(_t64);
					_t24 =  *0x13adff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E013887DC( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}



















              0x013888bf
              0x013888c2
              0x013888c8
              0x01388a04
              0x01388a04
              0x013888ce
              0x013888d5
              0x013888e0
              0x013888f0
              0x013888f1
              0x013888f6
              0x013888fc
              0x013889ff
              0x00000000
              0x01388a00
              0x01388909
              0x01388914
              0x0138891f
              0x01388924
              0x01388927
              0x0138892b
              0x0138892f
              0x0138893a
              0x01388942
              0x01388949
              0x0138894b
              0x0138894d
              0x01388951
              0x01388953
              0x01388953
              0x01388958
              0x01388964
              0x0138896c
              0x01388972
              0x01388973
              0x01388978
              0x0138897a
              0x01388982
              0x01388982
              0x0138898e
              0x0138899a
              0x0138899e
              0x013889a8
              0x013889bd
              0x013889ca
              0x013889bf
              0x013889bf
              0x013889c4
              0x013889c4
              0x013889bd
              0x013889ce
              0x013889dc
              0x013889e5
              0x013889f0
              0x013889f5
              0x013889fc
              0x013889fc
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01388931
              0x01388931
              0x01388931
              0x01388934
              0x01388934
              0x00000000

              APIs
              • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,013887A0), ref: 01388994
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 013889B5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocByteCharGlobalMultiWide
              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
              • API String ID: 3286310052-4209811716
              • Opcode ID: 210df9a9dd3bff808440a69fde3cf68680e23ed20e0dabdc5013b0bc83766ae5
              • Instruction ID: ecefe3330f693cf3cf41d16439561aa61116a1e8f515b52858810b9136decba6
              • Opcode Fuzzy Hash: 210df9a9dd3bff808440a69fde3cf68680e23ed20e0dabdc5013b0bc83766ae5
              • Instruction Fuzzy Hash: 6A314472105303BEE725BB68DC05FAFBBACDF91328F40454EF510961C1EB70A40587A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01388FE6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              C-Code - Quality: 43%
              			E01388FE6(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E01388D3F(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L01392B4E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E0139668C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x13adf88(0,  *0x13adfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x13adf90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x13adf98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x13adfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x13adf8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E01388E11(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L01392B4E(_t65);
							}
						}
					}
				}
				return _t43;
			}














              0x01388fef
              0x01388ff3
              0x01388ff9
              0x01388ffc
              0x01388fff
              0x0138900b
              0x01389014
              0x01389019
              0x0138901e
              0x01389024
              0x0138902a
              0x0138902e
              0x01389026
              0x01389026
              0x01389026
              0x01389034
              0x0138903b
              0x01389044
              0x0138905b
              0x01389065
              0x0138906a
              0x0138906a
              0x01389070
              0x0138907e
              0x013890ab
              0x013890b1
              0x013890b8
              0x013890f2
              0x013890f4
              0x013890f9
              0x00000000
              0x01389102
              0x013890ba
              0x013890bc
              0x013890c3
              0x013890c6
              0x013890cd
              0x013890d2
              0x013890d6
              0x013890db
              0x013890e3
              0x00000000
              0x013890ef
              0x013890d6
              0x013890c6
              0x013890bc
              0x0138910e

              APIs
              • ShowWindow.USER32(?,00000000), ref: 01388FFF
              • GetWindowRect.USER32(?,00000000), ref: 01389044
              • ShowWindow.USER32(?,00000005,00000000), ref: 013890DB
              • SetWindowTextW.USER32(?,00000000), ref: 013890E3
              • ShowWindow.USER32(00000000,00000005), ref: 013890F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Show$RectText
              • String ID: RarHtmlClassName
              • API String ID: 3937224194-1658105358
              • Opcode ID: 6c79e1e3cf486ac8eced4576988ce945d3dddb259fb02ea754b1220aff751ab0
              • Instruction ID: 787d9bf6edc82bbdeca3f425070ca36bf5624092fe95b5ab888611f8054c7125
              • Opcode Fuzzy Hash: 6c79e1e3cf486ac8eced4576988ce945d3dddb259fb02ea754b1220aff751ab0
              • Instruction Fuzzy Hash: A731B271108304AFDB21AFA8DC4CFABBFACEF88719F004559F9499A14ACB35D805CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139B506, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0139B506(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0139B4CA(_t45, 7);
					E0139B4CA(_t45 + 0x1c, 7);
					E0139B4CA(_t45 + 0x38, 0xc);
					E0139B4CA(_t45 + 0x68, 0xc);
					E0139B4CA(_t45 + 0x98, 2);
					E01397A50( *((intOrPtr*)(_t45 + 0xa0)));
					E01397A50( *((intOrPtr*)(_t45 + 0xa4)));
					E01397A50( *((intOrPtr*)(_t45 + 0xa8)));
					E0139B4CA(_t45 + 0xb4, 7);
					E0139B4CA(_t45 + 0xd0, 7);
					E0139B4CA(_t45 + 0xec, 0xc);
					E0139B4CA(_t45 + 0x11c, 0xc);
					E0139B4CA(_t45 + 0x14c, 2);
					E01397A50( *((intOrPtr*)(_t45 + 0x154)));
					E01397A50( *((intOrPtr*)(_t45 + 0x158)));
					E01397A50( *((intOrPtr*)(_t45 + 0x15c)));
					return E01397A50( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




              0x0139b50c
              0x0139b511
              0x0139b51a
              0x0139b525
              0x0139b530
              0x0139b53b
              0x0139b549
              0x0139b554
              0x0139b55f
              0x0139b56a
              0x0139b578
              0x0139b586
              0x0139b597
              0x0139b5a5
              0x0139b5b3
              0x0139b5be
              0x0139b5c9
              0x0139b5d4
              0x00000000
              0x0139b5e4
              0x0139b5e9

              APIs
                • Part of subcall function 0139B4CA: _free.LIBCMT ref: 0139B4F3
              • _free.LIBCMT ref: 0139B554
                • Part of subcall function 01397A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?), ref: 01397A66
                • Part of subcall function 01397A50: GetLastError.KERNEL32(?,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?,?), ref: 01397A78
              • _free.LIBCMT ref: 0139B55F
              • _free.LIBCMT ref: 0139B56A
              • _free.LIBCMT ref: 0139B5BE
              • _free.LIBCMT ref: 0139B5C9
              • _free.LIBCMT ref: 0139B5D4
              • _free.LIBCMT ref: 0139B5DF
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
              • Instruction ID: f05baffef18bd47c1f60531e4597187094cace349b707b689c3aabedc2fcffd5
              • Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
              • Instruction Fuzzy Hash: 3C118132540B09BAEF20F7B4DC09FCFB7EC6F11B04F404814A79E76198DA28B6045A64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01391694, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E01391694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x13ad680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E0139288E(__eflags,  *0x13ad680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E013928C8(__eflags,  *0x13ad680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E01397B1B(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E013928C8(__eflags,  *0x13ad680, 0);
								} else {
									__eflags = E013928C8(__eflags,  *0x13ad680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E01397A50(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








              0x0139169b
              0x013916ae
              0x013916b5
              0x013916b8
              0x013916bb
              0x013916d4
              0x013916d4
              0x013916bd
              0x013916bd
              0x013916bf
              0x013916c9
              0x013916cf
              0x013916d0
              0x013916d2
              0x013916e2
              0x013916e6
              0x013916e8
              0x013916fc
              0x013916fc
              0x01391705
              0x013916ea
              0x013916f8
              0x013916fa
              0x0139170e
              0x01391710
              0x01391710
              0x00000000
              0x00000000
              0x00000000
              0x013916fa
              0x01391713
              0x00000000
              0x00000000
              0x00000000
              0x013916d2
              0x013916bf
              0x0139171b
              0x01391725
              0x0139169d
              0x0139169f
              0x0139169f

              APIs
              • GetLastError.KERNEL32(?,?,0139168B,0138F0E2), ref: 013916A2
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 013916B0
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 013916C9
              • SetLastError.KERNEL32(00000000,?,0139168B,0138F0E2), ref: 0139171B
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: 61327950f292ba17d5b4e4be22b4ff40e673c10de984c6dd377cdc22d7e686d7
              • Instruction ID: f4f5fcda4e444f1da0ae3aec39fa125783e19c7fb8002babd48c77727d800ec4
              • Opcode Fuzzy Hash: 61327950f292ba17d5b4e4be22b4ff40e673c10de984c6dd377cdc22d7e686d7
              • Instruction Fuzzy Hash: 8801DF3664D6136EEF362ABC7C8492F2F9CEB1127DBA0022AF914694E5EF6148019394
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138D27B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E0138D27B() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x13cfe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x13cfe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x13cfe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}








              0x0138d27b
              0x0138d286
              0x0138d28e
              0x0138d2a0
              0x0138d2a4
              0x0138d2b0
              0x0138d2b8
              0x00000000
              0x0138d2ba
              0x0138d2c0
              0x0138d2c5
              0x0138d2cd
              0x00000000
              0x0138d2cf
              0x0138d2cf
              0x0138d2cf
              0x0138d2cd
              0x0138d2a6
              0x0138d2a6
              0x0138d2a6
              0x0138d2a6
              0x0138d2dd
              0x0138d2e3
              0x0138d2eb
              0x0138d2f1
              0x00000000
              0x00000000
              0x00000000
              0x0138d2ed
              0x0138d2ed
              0x0138d2ed
              0x0138d2ed
              0x0138d2f5
              0x0138d290
              0x0138d293
              0x0138d293
              0x0138d288
              0x0138d28b
              0x0138d28b

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
              • API String ID: 0-1718035505
              • Opcode ID: 6271f70bbe012a7c64bec4b5223eceea1c06ff00668ce1db678ab911000e0440
              • Instruction ID: 7018f4bcbb819be6bfc114c489096ff6aff2bb7cef25e019927693c814d2d62b
              • Opcode Fuzzy Hash: 6271f70bbe012a7c64bec4b5223eceea1c06ff00668ce1db678ab911000e0440
              • Instruction Fuzzy Hash: A20128727813625BDF31BFFD58905A7378DEA06A7E714013EE901D3686E751D401DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01380910, Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
              Download Yara Rule
              C-Code - Quality: 65%
              			E01380910(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0137A995() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E0138DDC0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}
















              0x01380910
              0x01380914
              0x01380923
              0x01380925
              0x0138092e
              0x01380937
              0x01380940
              0x01380949
              0x01380952
              0x01380959
              0x0138095e
              0x01380972
              0x01380a0e
              0x01380a10
              0x01380978
              0x01380984
              0x013809aa
              0x013809bb
              0x013809cb
              0x013809d7
              0x013809df
              0x013809e5
              0x013809ed
              0x013809f3
              0x013809f5
              0x013809f9
              0x01380986
              0x01380990
              0x01380996
              0x0138099a
              0x0138099a
              0x01380a05
              0x01380a07
              0x01380a07
              0x01380a13
              0x01380a16
              0x01380a18
              0x01380a22

              APIs
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0138096E
                • Part of subcall function 0137A995: GetVersionExW.KERNEL32(?), ref: 0137A9BA
              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01380990
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 013809AA
              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 013809BB
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 013809CB
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 013809D7
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion
              • String ID:
              • API String ID: 2092733347-0
              • Opcode ID: 4bc4e71be972cb3c21c637e4269d6427ba37f76a2f1def5666ebf79b9e07e84b
              • Instruction ID: 28bdfdebc4d0dd922f1ab9e797e9ac2efe367ceca7cdca60c0bde2561f80c279
              • Opcode Fuzzy Hash: 4bc4e71be972cb3c21c637e4269d6427ba37f76a2f1def5666ebf79b9e07e84b
              • Instruction Fuzzy Hash: ED31F57A1083469BC714EFA9C8809ABB7ECFF98704F44491EF999C3210E734E549CB26
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01388BE2, Relevance: 9.1, APIs: 6, Instructions: 86COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E01388BE2(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E0138F3CA(_a8, 0x13a40bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E0138F3CA(_t32, 0x13a40fc, _t25) != 0) {
						if(E0138F3CA(_t32, 0x13a40dc, _t25) != 0) {
							if(E0138F3CA(_t32, 0x13a40ac, _t25) != 0) {
								if(E0138F3CA(_t32, 0x13a414c, _t25) != 0) {
									if(E0138F3CA(_t32, 0x13a409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}








              0x01388be6
              0x01388beb
              0x01388bf9
              0x01388bfe
              0x01388c10
              0x01388c9f
              0x01388c9f
              0x01388ca2
              0x01388ca4
              0x01388ca7
              0x01388caa
              0x01388cb6
              0x00000000
              0x01388cb7
              0x01388c27
              0x01388c42
              0x01388c5d
              0x01388c78
              0x01388c9d
              0x01388cae
              0x01388cb1
              0x00000000
              0x01388cb1
              0x00000000
              0x01388c9d
              0x01388c7a
              0x01388c7d
              0x01388c80
              0x01388c84
              0x01388c88
              0x00000000
              0x01388c88
              0x01388c5f
              0x01388c62
              0x00000000
              0x01388c62
              0x01388c44
              0x01388c47
              0x00000000
              0x01388c47
              0x01388c29
              0x01388c2c
              0x00000000
              0x01388c2c
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: ecd67a587cf9cb8e8b7e70477871f3804743fd3c33085875cdd8e65e8f694333
              • Instruction ID: d00c47eacc3a84fef5e5d4293cec7c1b69aeebd0213615b506909c12db0144ec
              • Opcode Fuzzy Hash: ecd67a587cf9cb8e8b7e70477871f3804743fd3c33085875cdd8e65e8f694333
              • Instruction Fuzzy Hash: 6A2183B164130AEBDF15BB19CC81E7BF7BCDB5074CF458669FC049A20AE270ED458691
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01398516, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E01398516(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x13ad6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E01397B1B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E01399BA9(_t25, _t36, __eflags,  *0x13ad6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E01398388(_t25, _t31, 0x13d0418);
							E01397A50(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E01397A50();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E01397AD8(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x13ad6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E01397B1B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E01399BA9(_t27, _t37, __eflags,  *0x13ad6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E01398388(_t27, _t32, 0x13d0418);
									E01397A50(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E01397A50();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E01399B53(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E01399B53(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















              0x01398516
              0x01398516
              0x01398516
              0x01398520
              0x01398522
              0x01398527
              0x0139852a
              0x01398538
              0x0139853f
              0x01398544
              0x01398547
              0x0139854a
              0x0139855c
              0x01398561
              0x01398563
              0x0139856e
              0x01398575
              0x0139857a
              0x0139857d
              0x0139857f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01398565
              0x01398565
              0x00000000
              0x01398565
              0x0139854c
              0x0139854c
              0x0139854d
              0x0139854d
              0x01398552
              0x0139858d
              0x0139858e
              0x01398594
              0x01398599
              0x0139859c
              0x0139859d
              0x0139859e
              0x013985a5
              0x013985a7
              0x013985a9
              0x013985ae
              0x013985b1
              0x013985bf
              0x013985cb
              0x013985ce
              0x013985d1
              0x013985e3
              0x013985e8
              0x013985ea
              0x013985f5
              0x013985fb
              0x01398603
              0x01398605
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x013985ec
              0x013985ec
              0x00000000
              0x013985ec
              0x013985d3
              0x013985d3
              0x013985d4
              0x013985d4
              0x01398607
              0x01398608
              0x01398608
              0x013985b3
              0x013985b9
              0x013985bd
              0x01398610
              0x01398611
              0x01398617
              0x00000000
              0x00000000
              0x00000000
              0x013985bd
              0x0139861e
              0x0139861e
              0x0139852c
              0x01398532
              0x01398536
              0x01398581
              0x01398582
              0x0139858c
              0x00000000
              0x00000000
              0x00000000
              0x01398536

              APIs
              • GetLastError.KERNEL32(?,013B00E0,01393394,013B00E0,?,?,01392E0F,?,?,013B00E0), ref: 0139851A
              • _free.LIBCMT ref: 0139854D
              • _free.LIBCMT ref: 01398575
              • SetLastError.KERNEL32(00000000,?,013B00E0), ref: 01398582
              • SetLastError.KERNEL32(00000000,?,013B00E0), ref: 0139858E
              • _abort.LIBCMT ref: 01398594
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: 84caf4048c2d08fb39e934eb87d811dbb24c1a4b96e1f41315626c6439ac35eb
              • Instruction ID: 349e0732189d772fbe673b322f617e9cf2762d37f83088a9d922951b6fd97317
              • Opcode Fuzzy Hash: 84caf4048c2d08fb39e934eb87d811dbb24c1a4b96e1f41315626c6439ac35eb
              • Instruction Fuzzy Hash: 51F02D36184609A7EF12767C6C04F1B356D8BD367DF650554F51993298EE2485054620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C2A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E0138C2A7(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E013712D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0x13cde34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0x13cde34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0x13cde34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










              0x0138c2a8
              0x0138c2ad
              0x0138c2b2
              0x0138c2b7
              0x0138c2cf
              0x0138c32f
              0x00000000
              0x0138c331
              0x0138c2d1
              0x0138c2d7
              0x0138c31c
              0x0138c322
              0x0138c32d
              0x00000000
              0x0138c32d
              0x0138c2dc
              0x0138c2eb
              0x00000000
              0x0138c2eb
              0x0138c2e1
              0x0138c2e4
              0x0138c308
              0x0138c30e
              0x0138c2f1
              0x0138c2f2
              0x00000000
              0x0138c2f2
              0x0138c2e9
              0x0138c2ef
              0x00000000
              0x0138c2ef
              0x00000000

              APIs
                • Part of subcall function 013712D7: GetDlgItem.USER32(00000000,00003021), ref: 0137131B
                • Part of subcall function 013712D7: SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              • EndDialog.USER32(?,00000001), ref: 0138C2F2
              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0138C308
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0138C322
              • SetDlgItemTextW.USER32(?,00000068), ref: 0138C32D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: RENAMEDLG
              • API String ID: 445417207-3299779563
              • Opcode ID: de9e20f1ef2d555c6ed25ebedfeb2cf69c426dfd17007942f87bc27a8c389e89
              • Instruction ID: af84ad6a946e8e00461cb58b025a57b4bbe51aa4fcde8bd16a9a049611dc0f72
              • Opcode Fuzzy Hash: de9e20f1ef2d555c6ed25ebedfeb2cf69c426dfd17007942f87bc27a8c389e89
              • Instruction Fuzzy Hash: E101D8336803287AEA316BF95D44FB77B6CE75AB09F001029F345B28C5C6D668058775
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01396B78, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E01396B78(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				intOrPtr* _t20;
				signed int _t22;

				_t10 =  *0x13ad668; // 0x5221689b
				_v8 = _t10 ^ _t22;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t20 = GetProcAddress(_v12, "CorExitProcess");
					if(_t20 != 0) {
						 *0x13a2260(_a4);
						_t12 =  *_t20();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				return E0138E203(_t12, _v8 ^ _t22);
			}








              0x01396b7f
              0x01396b86
              0x01396b89
              0x01396b8d
              0x01396b98
              0x01396ba0
              0x01396bb1
              0x01396bb5
              0x01396bbc
              0x01396bc2
              0x01396bc2
              0x01396bc4
              0x01396bc9
              0x01396bce
              0x01396bce
              0x01396be1

              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01396B29,?,?,01396AC9,?,013AA800,0000000C,01396C20,?,00000002), ref: 01396B98
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01396BAB
              • FreeLibrary.KERNEL32(00000000,?,?,?,01396B29,?,?,01396AC9,?,013AA800,0000000C,01396C20,?,00000002,00000000), ref: 01396BCE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 341daf756c929c43149b24799b4f80346b8e73d77666c4751bf33d7c129f6f82
              • Instruction ID: f5be956f2cb9a7ae25b5974dd583fd139a16b59f4d7d06c50095869cc5120925
              • Opcode Fuzzy Hash: 341daf756c929c43149b24799b4f80346b8e73d77666c4751bf33d7c129f6f82
              • Instruction Fuzzy Hash: 6FF04471A01219BBDF259B95D809B9EBFB9EB04719F440069E909A2150DB745A44CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137E7E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0137E7E3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E0137FCFD(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}






              0x0137e7e4
              0x0137e7ea
              0x0137e7f1
              0x0137e7f6
              0x0137e7fa
              0x0137e80f
              0x0137e812
              0x0137e818
              0x0137e818
              0x0137e81b
              0x00000000
              0x0137e81b
              0x0137e820

              APIs
                • Part of subcall function 0137FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0137FD18
                • Part of subcall function 0137FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0137E7F6,Crypt32.dll,?,0137E878,?,0137E85C,?,?,?,?), ref: 0137FD3A
              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0137E802
              • GetProcAddress.KERNEL32(013B7350,CryptUnprotectMemory), ref: 0137E812
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$DirectoryLibraryLoadSystem
              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
              • API String ID: 2141747552-1753850145
              • Opcode ID: b2b8717c76448ec2e6aa35d948d522b2e54572d4767d7aa0bc72fdf71c313c9e
              • Instruction ID: c4487315ea7fa95c7765a9b6d17db18bc176d5e3f6b2b1ab30732e3d9cf4f407
              • Opcode Fuzzy Hash: b2b8717c76448ec2e6aa35d948d522b2e54572d4767d7aa0bc72fdf71c313c9e
              • Instruction Fuzzy Hash: ABE04FB1541643FEDB215B399808602FFA8BF10B18F54C169E924D3219DBF8D060CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01397389, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E01397389(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x13ad668; // 0x5221689b
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E013969A8( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0138DB10(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0138DB10(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0138DB10(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0139AC29(_t56);
						_t40 = E01397A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0139AC29(_t56);
						E01397A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x13ad668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























              0x01397389
              0x01397393
              0x01397397
              0x01397399
              0x0139739d
              0x013973a7
              0x013973b8
              0x013973bd
              0x013973bf
              0x013973c1
              0x013973c3
              0x013973c5
              0x013973c9
              0x01397483
              0x01397491
              0x01397493
              0x01397498
              0x0139749f
              0x013974a1
              0x013974af
              0x013974be
              0x013974c1
              0x013974c3
              0x00000000
              0x013974c4
              0x013973d1
              0x013973d6
              0x013973db
              0x013973dd
              0x013973dd
              0x013973df
              0x013973e4
              0x013973e8
              0x013973e8
              0x013973eb
              0x0139740a
              0x0139740a
              0x0139740c
              0x0139740f
              0x01397418
              0x0139741b
              0x01397420
              0x01397423
              0x01397428
              0x00000000
              0x00000000
              0x0139742a
              0x00000000
              0x013973ed
              0x013973ed
              0x013973ef
              0x013973f8
              0x013973fb
              0x01397400
              0x01397403
              0x01397408
              0x01397432
              0x01397435
              0x01397437
              0x0139743a
              0x01397442
              0x01397448
              0x0139744f
              0x01397451
              0x01397459
              0x01397468
              0x0139746c
              0x0139746e
              0x01397471
              0x00000000
              0x00000000
              0x01397473
              0x01397476
              0x01397478
              0x01397478
              0x01397479
              0x0139747b
              0x0139747e
              0x00000000
              0x01397478
              0x00000000
              0x01397408
              0x013973eb
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: 7744de51284189eb1026169b1516265b80b3158c5cab5a7ccda9010278022b89
              • Instruction ID: 08a1e1938a6abcc16baacf4beb871c58a346b72d61b5c41be83c2216665c0d78
              • Opcode Fuzzy Hash: 7744de51284189eb1026169b1516265b80b3158c5cab5a7ccda9010278022b89
              • Instruction Fuzzy Hash: 5841CF32A103049FDF25DFBCC881A9EB7A6EF89328F5545A8D915EB391D731A901CF80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139ABA6, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E0139ABA6() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0139AB6F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E01397A8A(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E01397A50(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












              0x0139abb5
              0x0139abbb
              0x0139ac13
              0x0139ac13
              0x0139abbd
              0x0139abbe
              0x0139abc3
              0x0139abcc
              0x0139abd2
              0x0139abd8
              0x0139abdd
              0x00000000
              0x0139abdf
              0x0139abe5
              0x0139abea
              0x0139ac08
              0x0139ac02
              0x0139ac02
              0x0139ac04
              0x0139ac04
              0x0139ac0b
              0x0139ac10
              0x0139abdd
              0x0139ac17
              0x0139ac1a
              0x0139ac1a
              0x0139ac28

              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 0139ABAF
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0139ABD2
                • Part of subcall function 01397A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,01392FA6,?,0000015D,?,?,?,?,01394482,000000FF,00000000,?,?), ref: 01397ABC
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0139ABF8
              • _free.LIBCMT ref: 0139AC0B
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0139AC1A
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
              • String ID:
              • API String ID: 336800556-0
              • Opcode ID: 8d4e0f3dbbad0286ed8e9594ca1df4e69a2a7e1db15c38e04c25b802ffca2308
              • Instruction ID: 099c7ecac55fe1d2b347d883d8d4469ed9b79ba6834ee4d81268b3dfbffe9e6b
              • Opcode Fuzzy Hash: 8d4e0f3dbbad0286ed8e9594ca1df4e69a2a7e1db15c38e04c25b802ffca2308
              • Instruction Fuzzy Hash: CE0188726016657FBF3115BE6C4CC7F7D6DDAC6A683150219FA04D7244DA618D019AB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139859A, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E0139859A(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x13ad6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E01397B1B(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E01399BA9(_t13, _t17, __eflags,  *0x13ad6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E01398388(_t13, _t16, 0x13d0418);
							E01397A50(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E01397A50();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E01399B53(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











              0x0139859a
              0x013985a5
              0x013985a7
              0x013985a9
              0x013985ae
              0x013985b1
              0x013985bf
              0x013985cb
              0x013985ce
              0x013985d1
              0x013985e3
              0x013985e8
              0x013985ea
              0x013985f5
              0x013985fb
              0x01398603
              0x01398605
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x013985ec
              0x013985ec
              0x00000000
              0x013985ec
              0x013985d3
              0x013985d3
              0x013985d4
              0x013985d4
              0x01398607
              0x01398608
              0x01398608
              0x013985b3
              0x013985b9
              0x013985bd
              0x01398610
              0x01398611
              0x01398617
              0x00000000
              0x00000000
              0x00000000
              0x013985bd
              0x0139861e

              APIs
              • GetLastError.KERNEL32(?,?,?,01397ED1,01397B6D,?,01398544,00000001,00000364,?,01392E0F,?,?,013B00E0), ref: 0139859F
              • _free.LIBCMT ref: 013985D4
              • _free.LIBCMT ref: 013985FB
              • SetLastError.KERNEL32(00000000,?,013B00E0), ref: 01398608
              • SetLastError.KERNEL32(00000000,?,013B00E0), ref: 01398611
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: 942665b218b5714e53579536f78d13f8405111a1c52ecfece282aa792296f1cb
              • Instruction ID: dcb6cbd24d6b74e9f4172c0beabae020e88850cd1bb2d8448dc5f0f1b7dd4263
              • Opcode Fuzzy Hash: 942665b218b5714e53579536f78d13f8405111a1c52ecfece282aa792296f1cb
              • Instruction Fuzzy Hash: 69017D372446096BDF13767C6C84E2B356D8BD337DB610168F905D3287EF2589054268
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013803C7, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E013803C7(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E013A1161);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E01380697(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E013804BA(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}











              0x013803c7
              0x013803d0
              0x013803d2
              0x013803d7
              0x013803d8
              0x013803e2
              0x013803e4
              0x013803e9
              0x013803eb
              0x013803fb
              0x01380407
              0x01380409
              0x0138040c
              0x0138040e
              0x01380415
              0x0138041b
              0x0138041c
              0x0138041f
              0x0138040c
              0x0138042e
              0x0138043a
              0x01380446
              0x01380451
              0x0138045c

              APIs
                • Part of subcall function 01380697: ResetEvent.KERNEL32(?), ref: 013806A9
                • Part of subcall function 01380697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 013806BD
              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 013803FB
              • CloseHandle.KERNEL32(?,?), ref: 01380415
              • DeleteCriticalSection.KERNEL32(?), ref: 0138042E
              • CloseHandle.KERNEL32(?), ref: 0138043A
              • CloseHandle.KERNEL32(?), ref: 01380446
                • Part of subcall function 013804BA: WaitForSingleObject.KERNEL32(?,000000FF,013805D9,?,?,0138064E,?,?,?,?,?,01380638), ref: 013804C0
                • Part of subcall function 013804BA: GetLastError.KERNEL32(?,?,0138064E,?,?,?,?,?,01380638), ref: 013804CC
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
              • String ID:
              • API String ID: 1868215902-0
              • Opcode ID: 4739e4c7be08b8e56a22c3f2f6a89b21f81757f2f90e38cabc3334ec24397c2e
              • Instruction ID: 01912cca2a30e62deef2620fa7adde3ee2a3827030e5b3077221348276478063
              • Opcode Fuzzy Hash: 4739e4c7be08b8e56a22c3f2f6a89b21f81757f2f90e38cabc3334ec24397c2e
              • Instruction Fuzzy Hash: 6201B172180B04EBC736EB69DC84BC7FBEEFB48710F400519F56A92154CBB56948CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139B461, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0139B461(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x13add50; // 0x13add44
					if(_t23 != 0) {
						E01397A50(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x13add54; // 0x13d088c
					if(_t24 != 0) {
						E01397A50(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x13add58; // 0x13d088c
					if(_t25 != 0) {
						E01397A50(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x13add80; // 0x13add48
					if(_t26 != 0) {
						E01397A50(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x13add84; // 0x13d0890
					if(_t27 != 0) {
						return E01397A50(_t6);
					}
				}
				return _t6;
			}










              0x0139b467
              0x0139b46c
              0x0139b470
              0x0139b476
              0x0139b479
              0x0139b47e
              0x0139b482
              0x0139b488
              0x0139b48b
              0x0139b490
              0x0139b494
              0x0139b49a
              0x0139b49d
              0x0139b4a2
              0x0139b4a6
              0x0139b4ac
              0x0139b4af
              0x0139b4b4
              0x0139b4b5
              0x0139b4b8
              0x0139b4be
              0x00000000
              0x0139b4c6
              0x0139b4be
              0x0139b4c9

              APIs
              • _free.LIBCMT ref: 0139B479
                • Part of subcall function 01397A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?), ref: 01397A66
                • Part of subcall function 01397A50: GetLastError.KERNEL32(?,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?,?), ref: 01397A78
              • _free.LIBCMT ref: 0139B48B
              • _free.LIBCMT ref: 0139B49D
              • _free.LIBCMT ref: 0139B4AF
              • _free.LIBCMT ref: 0139B4C1
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 0d106789c79cad5c52845602f8d19a3445e25220ffc9ed6106c369fc9191f15c
              • Instruction ID: bc9a8373ddd326930ca6beb8473aeda2a2cc5c14d252ca524148f203ad3198f4
              • Opcode Fuzzy Hash: 0d106789c79cad5c52845602f8d19a3445e25220ffc9ed6106c369fc9191f15c
              • Instruction Fuzzy Hash: 8CF01232514211ABEF20DAFCF485C5EBBEDAE11758B945805F14DF7A48C734F9809B98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013975DB, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E013975DB(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x13add40; // 0x1422310
					if(_t7 != 0x13adb20) {
						E01397A50(_t7);
						 *0x13add40 = 0x13adb20;
					}
				}
				E01397A50( *0x13d0410);
				 *0x13d0410 = 0;
				E01397A50( *0x13d0414);
				 *0x13d0414 = 0;
				E01397A50( *0x13d0860);
				 *0x13d0860 = 0;
				E01397A50( *0x13d0864);
				 *0x13d0864 = 0;
				return 1;
			}




              0x013975e4
              0x013975e8
              0x013975ea
              0x013975f6
              0x013975f9
              0x013975ff
              0x013975ff
              0x013975f6
              0x0139760b
              0x01397618
              0x0139761e
              0x01397629
              0x0139762f
              0x0139763a
              0x01397640
              0x01397648
              0x01397651

              APIs
              • _free.LIBCMT ref: 013975F9
                • Part of subcall function 01397A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?), ref: 01397A66
                • Part of subcall function 01397A50: GetLastError.KERNEL32(?,?,0139B4F8,?,00000000,?,00000000,?,0139B51F,?,00000007,?,?,0139B91C,?,?), ref: 01397A78
              • _free.LIBCMT ref: 0139760B
              • _free.LIBCMT ref: 0139761E
              • _free.LIBCMT ref: 0139762F
              • _free.LIBCMT ref: 01397640
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 0bf281087c2397c9273e298b615cfd2a2162a7acfc5d44f8987e8ca748b38a21
              • Instruction ID: 29874be67a829494d63722d9798b46409921ccd2783f66288d94029d272c3b09
              • Opcode Fuzzy Hash: 0bf281087c2397c9273e298b615cfd2a2162a7acfc5d44f8987e8ca748b38a21
              • Instruction Fuzzy Hash: A8F054708122198BDB3AAF7DF80191E3BFCFB16B28F461115F01166799C73406018FC9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01396C73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E01396C73(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0139A7B3(_t52);
					GetModuleFileNameA(0, 0x13d02b8, 0x104);
					_t49 =  *0x13d0868; // 0x1413338
					 *0x13d0870 = 0x13d02b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x13d02b8;
					}
					_v8 = 0;
					_v16 = 0;
					E01396D97(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E01396F0C(_v8, _v16, 1);
					if(_t64 != 0) {
						E01396D97(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0139A2CE(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x13d085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x13d0860 = _t59;
									L16:
									E01397A50(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x13d085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x13d0860 = _t43;
						goto L10;
					} else {
						_t44 = E01397ECC();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E01397A50(_t64);
						return _t50;
					}
				} else {
					_t45 = E01397ECC();
					_t65 = 0x16;
					 *_t45 = _t65;
					E01397DAB();
					return _t65;
				}
			}





















              0x01396c73
              0x01396c80
              0x01396ca0
              0x01396cb3
              0x01396cb9
              0x01396cbf
              0x01396cc7
              0x01396cce
              0x01396cce
              0x01396cd3
              0x01396cda
              0x01396ce1
              0x01396cf3
              0x01396cfa
              0x01396d19
              0x01396d25
              0x01396d40
              0x01396d43
              0x01396d4a
              0x01396d50
              0x01396d57
              0x01396d5a
              0x01396d5c
              0x01396d60
              0x01396d6a
              0x01396d6a
              0x01396d6c
              0x01396d72
              0x01396d75
              0x01396d77
              0x01396d7d
              0x01396d7e
              0x01396d84
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01396d62
              0x01396d62
              0x01396d62
              0x01396d65
              0x01396d66
              0x00000000
              0x01396d62
              0x01396d52
              0x00000000
              0x01396d52
              0x01396d2b
              0x01396d30
              0x01396d32
              0x01396d34
              0x00000000
              0x01396cfc
              0x01396cfc
              0x01396d01
              0x01396d03
              0x01396d04
              0x01396d39
              0x01396d39
              0x01396d87
              0x01396d88
              0x00000000
              0x01396d91
              0x01396c88
              0x01396c88
              0x01396c8f
              0x01396c90
              0x01396c92
              0x00000000
              0x01396c97

              APIs
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\XnQ8NBKkhW.exe,00000104), ref: 01396CB3
              • _free.LIBCMT ref: 01396D7E
              • _free.LIBCMT ref: 01396D88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Users\user\Desktop\XnQ8NBKkhW.exe
              • API String ID: 2506810119-1598422487
              • Opcode ID: c1cff944209f39703c98984b0e758c6d79fd5e18f2dfb4a4af4ac13b910c9132
              • Instruction ID: 61b9c1467e2becf6119916fcc14e43869d6b509f5081efd49b632fa7c2b31e59
              • Opcode Fuzzy Hash: c1cff944209f39703c98984b0e758c6d79fd5e18f2dfb4a4af4ac13b910c9132
              • Instruction Fuzzy Hash: 8B318DB1A02259AFDF25EF9DD88699EBFFCEB95718F104066F91497200D7709A80CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013773B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E013773B9(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E0138D870(E013A1321, _t61);
				E0138D940();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E0137399D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0x13b0042 == 0) {
						if(E01377A15(L"SeSecurityPrivilege") != 0) {
							 *0x13b0041 = 1;
						}
						E01377A15(L"SeRestorePrivilege");
						 *0x13b0042 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0x13b0041 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0x13ade80() == 0) {
						if(E0137B32C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E01376BF5(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E0138E214(_t32);
							if(_t32 == 5 && E0137FC98() == 0) {
								E01371567(_t61 - 0x6c, 0x18);
								E01380A9F(_t61 - 0x6c);
							}
							E01376E03(0x13b00e0, 1);
						} else {
							_t39 =  *0x13ade80(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E0137159C(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}












              0x013773b9
              0x013773b9
              0x013773b9
              0x013773be
              0x013773c8
              0x013773d0
              0x013773d3
              0x013773d6
              0x013773d9
              0x013773dc
              0x013773df
              0x013773e4
              0x013773e5
              0x013773e6
              0x013773ec
              0x013773f4
              0x01377401
              0x0137740f
              0x01377411
              0x01377411
              0x0137741d
              0x01377422
              0x01377422
              0x01377430
              0x01377433
              0x01377434
              0x01377438
              0x01377438
              0x01377439
              0x0137743a
              0x0137743d
              0x0137743e
              0x0137743f
              0x0137744a
              0x01377462
              0x01377477
              0x01377480
              0x01377485
              0x01377494
              0x0137749c
              0x013774ac
              0x013774b4
              0x013774b4
              0x013774bd
              0x01377464
              0x0137746d
              0x01377473
              0x01377475
              0x00000000
              0x00000000
              0x01377475
              0x01377462
              0x013774c3
              0x013774c7
              0x013774d0
              0x013774da

              APIs
              • __EH_prolog.LIBCMT ref: 013773BE
                • Part of subcall function 0137399D: __EH_prolog.LIBCMT ref: 013739A2
              • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 01377485
                • Part of subcall function 01377A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 01377A24
                • Part of subcall function 01377A15: GetLastError.KERNEL32 ref: 01377A6A
                • Part of subcall function 01377A15: CloseHandle.KERNEL32(?), ref: 01377A79
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
              • String ID: SeRestorePrivilege$SeSecurityPrivilege
              • API String ID: 3813983858-639343689
              • Opcode ID: 0246e7b1c9a965f8119386fceacf94750b81ddf42da4d140ea188aeb4a02152f
              • Instruction ID: 410ad4ec396657db6c55bc1e77a124c7e7d074d02b18f280b8202032cf9e0cd4
              • Opcode Fuzzy Hash: 0246e7b1c9a965f8119386fceacf94750b81ddf42da4d140ea188aeb4a02152f
              • Instruction Fuzzy Hash: 2731B371A00209AAEF30EBACDC48BFEBF7DAF55318F404059E549B7181D7788A448BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01389B8D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              C-Code - Quality: 62%
              			E01389B8D(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E013712D7(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x13cfe38 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x13cfe38), ( *0x13cfe38)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E0137B943(__eflags,  *( *0x13cfe38)));
					_push( *( *0x13cfe38));
					_push(E0137DA42(_t25, 0x8e));
					_t22 = E013710B0(_t30);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x13cfe38));
					goto L13;
				}
				goto L6;
			}












              0x01389b8e
              0x01389b93
              0x01389b98
              0x01389b9d
              0x01389bb5
              0x01389c45
              0x01389c47
              0x00000000
              0x01389c47
              0x01389bbb
              0x01389bc1
              0x01389c34
              0x01389c36
              0x01389c3c
              0x01389c3f
              0x00000000
              0x01389c3f
              0x01389bc6
              0x01389bda
              0x00000000
              0x01389bda
              0x01389bcb
              0x01389bce
              0x01389c2a
              0x01389c30
              0x01389c14
              0x01389c15
              0x00000000
              0x01389c15
              0x01389bd0
              0x01389bd3
              0x01389c12
              0x00000000
              0x01389c12
              0x01389bd8
              0x01389be3
              0x01389bec
              0x01389bf2
              0x01389bfe
              0x01389c00
              0x01389c05
              0x01389c07
              0x00000000
              0x00000000
              0x01389c0e
              0x00000000
              0x01389c0e
              0x00000000

              APIs
                • Part of subcall function 013712D7: GetDlgItem.USER32(00000000,00003021), ref: 0137131B
                • Part of subcall function 013712D7: SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              • EndDialog.USER32(?,00000001), ref: 01389C15
              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 01389C2A
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 01389C3F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: ASKNEXTVOL
              • API String ID: 445417207-3402441367
              • Opcode ID: 9828c2e6bb2b757d5312a1404a53c0dc0dc8041ad053c2baf5f438a4a9ee771d
              • Instruction ID: 2320da325eb5ad1df8461bc2ffcb4ece45e00e2ebe96c157f29ee956c0a3696b
              • Opcode Fuzzy Hash: 9828c2e6bb2b757d5312a1404a53c0dc0dc8041ad053c2baf5f438a4a9ee771d
              • Instruction Fuzzy Hash: 68116633344205AFEA22BFACDD48F777BBDEB9A70CF440010F20596555C766A6468B25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137CE52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E0137CE52(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E013811FA( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0137FA56(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0137D9DC();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x1433438
					_t30 = E01394E71(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E0137CC88);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x13ad158 +  *_t30 * 0xc; // 0x13a33e0
						E013954E0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}














              0x0137ce52
              0x0137ce52
              0x0137ce52
              0x0137ce53
              0x0137ce57
              0x0137ce5e
              0x0137ce64
              0x0137ce74
              0x0137ce7a
              0x0137ce7e
              0x0137ce81
              0x0137ce8c
              0x0137ce8c
              0x0137ce94
              0x0137ce97
              0x0137ced2
              0x0137ce99
              0x0137ce99
              0x0137ce9c
              0x0137ceb1
              0x0137ceb2
              0x00000000
              0x0137ce9e
              0x0137cea1
              0x0137cea6
              0x0137cea7
              0x0137ceb7
              0x0137ceba
              0x0137cebc
              0x0137cebd
              0x0137cec2
              0x0137cec2
              0x0137cea1
              0x0137ce9c
              0x0137cede
              0x0137cee4
              0x0137cee8
              0x0137cef2
              0x00000000
              0x0137cef8
              0x0137cefe
              0x0137cf07
              0x0137cf0f
              0x0137cf0f
              0x0137ce66
              0x0137ce66
              0x0137ce66
              0x0137ce66
              0x0137cf16

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fprintf_l_strncpy
              • String ID: $%s$@%s
              • API String ID: 1857242416-834177443
              • Opcode ID: a12d7bb1f778ab96164d5cf98283cffaf461bd10ced0966e205043d5a6b8f6ca
              • Instruction ID: 7209ea387e738e01ae670ede272593eec800fd15d9b98cdcd36f24e23ba4820d
              • Opcode Fuzzy Hash: a12d7bb1f778ab96164d5cf98283cffaf461bd10ced0966e205043d5a6b8f6ca
              • Instruction Fuzzy Hash: EC21A17244030EAEEF30DFA8CD01FEE3BACEB04709F000426FA1896961D379D6598B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138A0B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E0138A0B0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E013712D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0137E90C(_t24, 0x13c5c00,  &_v260);
					E0137E957( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










              0x0138a0ba
              0x0138a0be
              0x0138a0c2
              0x0138a0db
              0x0138a14a
              0x00000000
              0x0138a14c
              0x0138a0dd
              0x0138a0e3
              0x0138a144
              0x00000000
              0x0138a144
              0x0138a0e8
              0x0138a0f7
              0x00000000
              0x0138a0f7
              0x0138a0ed
              0x0138a0f0
              0x0138a116
              0x0138a128
              0x0138a135
              0x0138a13a
              0x0138a0fd
              0x0138a0fe
              0x00000000
              0x0138a0fe
              0x0138a0f5
              0x0138a0fb
              0x00000000
              0x0138a0fb
              0x00000000

              APIs
                • Part of subcall function 013712D7: GetDlgItem.USER32(00000000,00003021), ref: 0137131B
                • Part of subcall function 013712D7: SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              • EndDialog.USER32(?,00000001), ref: 0138A0FE
              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0138A116
              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0138A144
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: GETPASSWORD1
              • API String ID: 445417207-3292211884
              • Opcode ID: 8594e46a95cb5207162e61c791760009e3c2aa197f649c933f952f72fc979cd2
              • Instruction ID: 8d1ebb0952e0bc724ff7465b494979729599f4b1a7028ed67018d827b8cba188
              • Opcode Fuzzy Hash: 8594e46a95cb5207162e61c791760009e3c2aa197f649c933f952f72fc979cd2
              • Instruction Fuzzy Hash: D911E13290021DB7DB21AB6C9C48FBB3B6CEB4A748F400062FA45F3480C6A99A5587A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137B1B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              C-Code - Quality: 70%
              			E0137B1B7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0137B4C6(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E01390BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E01390BB8(_t23);
							if(_t13 == 0) {
								_t14 = E01392B33(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E01394DDA(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E01373E41(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}











              0x0137b1b8
              0x0137b1bf
              0x0137b1c4
              0x0137b1c7
              0x0137b1ce
              0x0137b1eb
              0x0137b1ef
              0x0137b1fa
              0x0137b1fb
              0x0137b1fc
              0x0137b202
              0x0137b205
              0x0137b20a
              0x0137b20b
              0x0137b20c
              0x0137b215
              0x0137b21f
              0x0137b217
              0x0137b21b
              0x0137b21b
              0x0137b229
              0x0137b22b
              0x0137b230
              0x0137b238
              0x0137b23a
              0x0137b23a
              0x0137b205
              0x00000000
              0x0137b23e
              0x00000000

              APIs
              • _swprintf.LIBCMT ref: 0137B1DE
                • Part of subcall function 01373E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01373E54
              • _wcschr.LIBVCRUNTIME ref: 0137B1FC
              • _wcschr.LIBVCRUNTIME ref: 0137B20C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcschr$__vswprintf_c_l_swprintf
              • String ID: %c:\
              • API String ID: 525462905-3142399695
              • Opcode ID: ed42fe8f988e61388ac244478553ae51ff74e0821e229abf448914772bfff689
              • Instruction ID: a6042c006897923dcef61fe22788e760647087a285e28ae22d5b8d4880f531a6
              • Opcode Fuzzy Hash: ed42fe8f988e61388ac244478553ae51ff74e0821e229abf448914772bfff689
              • Instruction Fuzzy Hash: 6A01D2235013137ADF306B6D9C45D6FE7BCEEA9668B80840AF884C3585FA38D450C2B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01380326, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E01380326(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x13b00e0);
					E01376CC9(E01376CCE(_t19), 0x13b00e0, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}









              0x01380326
              0x01380326
              0x0138032e
              0x01380332
              0x01380333
              0x01380337
              0x01380339
              0x01380339
              0x01380342
              0x01380344
              0x01380344
              0x01380346
              0x0138034e
              0x01380350
              0x01380350
              0x01380352
              0x01380358
              0x0138035f
              0x01380373
              0x01380379
              0x0138037f
              0x0138038b
              0x01380391
              0x0138039b
              0x013803a7
              0x013803a7
              0x013803ad
              0x013803b5
              0x013803bb
              0x013803c4

              APIs
              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0137A865,00000008,00000000,?,?,0137C802,?,00000000,?,00000001,?), ref: 0138035F
              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0137A865,00000008,00000000,?,?,0137C802,?,00000000), ref: 01380369
              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0137A865,00000008,00000000,?,?,0137C802,?,00000000), ref: 01380379
              Strings
              • Thread pool initialization failed., xrefs: 01380391
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Create$CriticalEventInitializeSectionSemaphore
              • String ID: Thread pool initialization failed.
              • API String ID: 3340455307-2182114853
              • Opcode ID: 9590b36897a2f79ed755f1ffe141d6f40ac1f7e0b8c369248aecd5dc3a583c11
              • Instruction ID: bbfbc0631f0c632615560108c1ea4e64d063f49d89a3d776a83eeec60b36e384
              • Opcode Fuzzy Hash: 9590b36897a2f79ed755f1ffe141d6f40ac1f7e0b8c369248aecd5dc3a583c11
              • Instruction Fuzzy Hash: 4D1182F1540709AFD3356F7AD8C4AABFBECEB55758F10482EF1DA82201D6B16984CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138C96E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138C96E(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0x13cce10 = _a12;
				 *0x13cce14 = _a16;
				 *0x13b75f4 = _a20;
				if( *0x13b75d3 == 0) {
					if( *0x13b75d2 == 0) {
						_t16 = E0138AFB9;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x13b0064, _t25,  *0x13b75c8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x13b0060, L"RENAMEDLG",  *0x13b75d8, E0138C2A7, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}







              0x0138c979
              0x0138c982
              0x0138c98b
              0x0138c990
              0x0138c99d
              0x0138c9ae
              0x0138c9b3
              0x0138c9da
              0x0138c9ee
              0x0138c9f3
              0x00000000
              0x00000000
              0x0138c9d8
              0x00000000
              0x00000000
              0x0138c9d8
              0x00000000
              0x0138c9fa
              0x00000000
              0x0138c9a1
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: RENAMEDLG$REPLACEFILEDLG
              • API String ID: 0-56093855
              • Opcode ID: 62f097fd8b884f342048065383ea4a15d2e695c4db87c0ef052db607c8a5c914
              • Instruction ID: fae5545f86c4b06248d5ff8efdc0aec0ea15b42fd977da24e8c6090081e6870d
              • Opcode Fuzzy Hash: 62f097fd8b884f342048065383ea4a15d2e695c4db87c0ef052db607c8a5c914
              • Instruction Fuzzy Hash: 4601B172204345FFD721AB29ED80E97BBEDE785758F001466F646A2254E62298148B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01398749, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E01398749(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E01393356(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0138DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0138DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x1393fc1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0138E920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0138DAC0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0138DE00();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0138DE00();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0138DE00();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E01398A4C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E013A0FD0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E01397ECC();
					_t183 = 0x22;
					 *_t129 = _t183;
					E01397DAB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































              0x01398749
              0x01398754
              0x0139875b
              0x0139875d
              0x0139875d
              0x0139875f
              0x01398768
              0x0139876a
              0x0139876f
              0x01398775
              0x0139878b
              0x01398790
              0x01398793
              0x013987a0
              0x013987a5
              0x013987f9
              0x01398801
              0x01398803
              0x01398805
              0x01398808
              0x01398808
              0x01398808
              0x0139880e
              0x01398816
              0x01398829
              0x0139882c
              0x0139882e
              0x01398831
              0x01398832
              0x01398853
              0x01398856
              0x01398856
              0x01398834
              0x01398834
              0x01398836
              0x01398841
              0x01398841
              0x01398843
              0x0139884a
              0x01398845
              0x01398845
              0x01398845
              0x01398843
              0x01398857
              0x01398859
              0x0139885a
              0x0139885d
              0x0139885f
              0x01398873
              0x01398861
              0x01398861
              0x01398861
              0x01398878
              0x01398878
              0x0139887d
              0x01398880
              0x0139888b
              0x0139888b
              0x0139888b
              0x0139888b
              0x0139888f
              0x01398896
              0x01398897
              0x0139889a
              0x0139889d
              0x0139889d
              0x0139889f
              0x00000000
              0x00000000
              0x013988b7
              0x013988be
              0x013988c2
              0x013988c5
              0x013988c8
              0x013988ca
              0x013988ca
              0x013988ca
              0x013988cc
              0x013988cf
              0x013988d2
              0x013988d4
              0x013988dc
              0x013988e2
              0x013988e5
              0x013988e8
              0x013988e9
              0x013988ec
              0x013988ef
              0x013988ef
              0x013988f4
              0x013988f7
              0x00000000
              0x00000000
              0x0139890f
              0x01398914
              0x01398918
              0x00000000
              0x00000000
              0x0139891c
              0x0139891c
              0x0139891f
              0x01398920
              0x01398920
              0x01398922
              0x01398925
              0x00000000
              0x00000000
              0x01398927
              0x0139892a
              0x01398931
              0x01398934
              0x01398937
              0x0139894d
              0x0139894d
              0x0139894d
              0x01398939
              0x01398939
              0x0139893b
              0x0139893e
              0x01398949
              0x01398940
              0x01398943
              0x01398943
              0x0139893e
              0x00000000
              0x01398937
              0x0139892c
              0x0139892c
              0x0139892e
              0x0139892e
              0x01398882
              0x01398882
              0x01398885
              0x01398950
              0x01398950
              0x01398952
              0x01398954
              0x01398957
              0x01398958
              0x01398959
              0x0139895a
              0x01398962
              0x01398962
              0x01398962
              0x01398964
              0x01398967
              0x0139896a
              0x0139896c
              0x0139896c
              0x0139896e
              0x01398980
              0x01398984
              0x01398987
              0x0139898e
              0x01398996
              0x01398996
              0x01398999
              0x0139899b
              0x013989ac
              0x013989ac
              0x013989b0
              0x013989b0
              0x013989b3
              0x013989b5
              0x013989b8
              0x00000000
              0x0139899d
              0x0139899d
              0x013989a3
              0x013989a3
              0x013989a7
              0x013989ba
              0x013989ba
              0x013989be
              0x013989bf
              0x013989c1
              0x013989c3
              0x01398a04
              0x01398a04
              0x01398a06
              0x01398a13
              0x01398a13
              0x01398a15
              0x01398a17
              0x01398a18
              0x01398a19
              0x01398a20
              0x01398a23
              0x01398a25
              0x01398a25
              0x01398a26
              0x01398a28
              0x01398a2b
              0x01398a2b
              0x01398a2d
              0x01398a2f
              0x00000000
              0x01398a2f
              0x01398a08
              0x01398a0a
              0x00000000
              0x00000000
              0x01398a0c
              0x00000000
              0x00000000
              0x01398a0e
              0x01398a11
              0x00000000
              0x00000000
              0x00000000
              0x01398a11
              0x013989ca
              0x013989d0
              0x013989d0
              0x013989d2
              0x013989d3
              0x013989d4
              0x013989d5
              0x013989dc
              0x013989df
              0x013989e1
              0x013989e2
              0x013989e4
              0x013989f1
              0x013989f1
              0x013989f3
              0x013989f5
              0x013989f6
              0x013989f7
              0x013989fe
              0x01398a01
              0x01398a03
              0x01398a03
              0x00000000
              0x01398a03
              0x013989e6
              0x013989e6
              0x013989e8
              0x00000000
              0x00000000
              0x013989ea
              0x00000000
              0x00000000
              0x013989ec
              0x013989ef
              0x00000000
              0x00000000
              0x00000000
              0x013989ef
              0x013989cc
              0x013989ce
              0x00000000
              0x00000000
              0x00000000
              0x013989ce
              0x0139899f
              0x013989a1
              0x00000000
              0x00000000
              0x00000000
              0x013989a1
              0x0139899b
              0x00000000
              0x01398885
              0x01398880
              0x013987a7
              0x013987a9
              0x00000000
              0x013987ab
              0x013987c1
              0x013987c6
              0x013987c8
              0x013987d4
              0x013987da
              0x013987db
              0x013987dd
              0x013987df
              0x013987ea
              0x013987ea
              0x013987ed
              0x013987ef
              0x013987ef
              0x013987f2
              0x013987ca
              0x013987ca
              0x013987ca
              0x00000000
              0x013987c8
              0x01398777
              0x01398777
              0x0139877e
              0x0139877f
              0x01398781
              0x01398a33
              0x01398a37
              0x01398a3c
              0x01398a3c
              0x01398a4b
              0x01398a4b

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __alldvrm$_strrchr
              • String ID:
              • API String ID: 1036877536-0
              • Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
              • Instruction ID: 9d658f163f72949c2110372d39c2a398d51292e748801daa3607e9ccafc33a00
              • Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
              • Instruction Fuzzy Hash: 8CA1397290438A9FEF26CF6CC8807AEBFE5EF96358F1841EDD5959B281C2388941C751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01379F96, Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E01379F96(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0138D940();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E01379E7F( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0137A12F( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E0138082F(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E0138082F(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E0138082F(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0137A12F( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0137B32C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}













              0x01379f96
              0x01379f9b
              0x01379fa7
              0x01379fae
              0x01379fb2
              0x01379fbf
              0x01379fbf
              0x01379fc3
              0x01379fc3
              0x01379fcc
              0x01379fd9
              0x01379fd9
              0x01379fdd
              0x01379fdd
              0x01379fe6
              0x01379ff4
              0x01379ff4
              0x01379ff8
              0x01379fff
              0x0137a004
              0x0137a00b
              0x0137a021
              0x0137a011
              0x0137a01a
              0x0137a01a
              0x0137a03c
              0x0137a042
              0x0137a049
              0x0137a093
              0x0137a098
              0x0137a0a1
              0x0137a0a1
              0x0137a0ab
              0x0137a0b4
              0x0137a0b4
              0x0137a0be
              0x0137a0c7
              0x0137a0c7
              0x0137a0d7
              0x0137a0db
              0x0137a0eb
              0x0137a0fb
              0x0137a101
              0x0137a108
              0x0137a110
              0x0137a11d
              0x0137a11d
              0x00000000
              0x0137a04b
              0x0137a05c
              0x0137a063
              0x0137a122
              0x0137a12c
              0x0137a12c
              0x0137a080
              0x0137a086
              0x0137a08d
              0x00000000
              0x00000000
              0x00000000
              0x0137a08d
              0x0137a049
              0x01379fee
              0x01379ff2
              0x00000000
              0x00000000
              0x00000000
              0x01379ff2
              0x01379fd3
              0x01379fd7
              0x00000000
              0x00000000
              0x00000000
              0x01379fd7
              0x01379fb9
              0x01379fbd
              0x00000000
              0x00000000
              0x00000000

              APIs
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,01377F2C,?,?,?), ref: 0137A03C
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,01377F2C,?,?), ref: 0137A080
              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,01377F2C,?,?,?,?,?,?,?,?), ref: 0137A101
              • CloseHandle.KERNEL32(?,?,00000000,?,01377F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 0137A108
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Create$CloseHandleTime
              • String ID:
              • API String ID: 2287278272-0
              • Opcode ID: e2caf1a600645c18350ebcfa488680b4b728ffa800c8d34d74fc76312d572b79
              • Instruction ID: e04daacefee0b0e3e91b99a8093925b7455bb82cae1eb8f33e0a96db5749bcfd
              • Opcode Fuzzy Hash: e2caf1a600645c18350ebcfa488680b4b728ffa800c8d34d74fc76312d572b79
              • Instruction Fuzzy Hash: CE41BF312483819AE736EF28DC45BAEBBE99B85318F08091DF6D5931C0C668DA4CDB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0139B5EA, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E0139B5EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x13ad668; // 0x5221689b
				_v8 = _t34 ^ _t70;
				E01393356(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x31e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0138E203(_t67, _v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0138E920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0139980D(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E01397A8A(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E013A0EE0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















              0x0139b5f2
              0x0139b5f9
              0x0139b605
              0x0139b60a
              0x0139b60f
              0x0139b614
              0x0139b614
              0x0139b617
              0x0139b619
              0x0139b619
              0x0139b61e
              0x0139b637
              0x0139b63d
              0x0139b642
              0x0139b6e1
              0x0139b6e5
              0x0139b6ea
              0x0139b6ea
              0x0139b706
              0x0139b706
              0x0139b648
              0x0139b650
              0x0139b654
              0x0139b6a0
              0x0139b6a2
              0x0139b6a4
              0x0139b6a9
              0x0139b6c0
              0x0139b6c8
              0x0139b6d8
              0x0139b6d8
              0x0139b6c8
              0x0139b6da
              0x0139b6db
              0x00000000
              0x0139b6e0
              0x0139b65b
              0x0139b65d
              0x0139b65f
              0x0139b667
              0x0139b684
              0x0139b68e
              0x0139b693
              0x00000000
              0x00000000
              0x0139b695
              0x0139b69b
              0x0139b69b
              0x00000000
              0x0139b69b
              0x0139b66b
              0x0139b66f
              0x0139b674
              0x0139b678
              0x00000000
              0x00000000
              0x0139b67a
              0x00000000

              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,31E85006,013934E6,00000000,00000000,0139451B,?,0139451B,?,00000001,013934E6,31E85006,00000001,0139451B,0139451B), ref: 0139B637
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0139B6C0
              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0139B6D2
              • __freea.LIBCMT ref: 0139B6DB
                • Part of subcall function 01397A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,01392FA6,?,0000015D,?,?,?,?,01394482,000000FF,00000000,?,?), ref: 01397ABC
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
              • String ID:
              • API String ID: 2652629310-0
              • Opcode ID: 4bf977782e56cc6d3e6cfdaa9648ee35090604325d9b1ae192860fc68a49ba60
              • Instruction ID: 36a81ff9c43c7538f531e148579a20e9389e6e5c169c1c37924ed6934c72b2af
              • Opcode Fuzzy Hash: 4bf977782e56cc6d3e6cfdaa9648ee35090604325d9b1ae192860fc68a49ba60
              • Instruction Fuzzy Hash: FD31B072A0020AABEF259F68DC44DAFBBA9EB40764F044128ED14DB194E735E950CBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138A4F8, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0138A4F8(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0x13b0060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E0138963A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E0138952A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E0138963A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E0138958C(_v20);
					_t13 = E0138975D(_t21, _t32, _t22, E01389549(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}














              0x0138a4f8
              0x0138a4f8
              0x0138a50e
              0x0138a512
              0x0138a515
              0x0138a517
              0x0138a520
              0x0138a520
              0x0138a529
              0x0138a536
              0x0138a541
              0x0138a54a
              0x0138a54e
              0x0138a551
              0x0138a553
              0x0138a553
              0x0138a54e
              0x0138a558
              0x0138a568
              0x0138a570
              0x0138a572
              0x0138a574
              0x0138a57c

              APIs
              • LoadBitmapW.USER32(00000065), ref: 0138A508
              • GetObjectW.GDI32(00000000,00000018,?), ref: 0138A529
              • DeleteObject.GDI32(00000000), ref: 0138A551
              • DeleteObject.GDI32(00000000), ref: 0138A570
                • Part of subcall function 0138963A: FindResourceW.KERNEL32(00000066,PNG,?,?,0138A54A,00000066), ref: 0138964B
                • Part of subcall function 0138963A: SizeofResource.KERNEL32(00000000,77625B70,?,?,0138A54A,00000066), ref: 01389663
                • Part of subcall function 0138963A: LoadResource.KERNEL32(00000000,?,?,0138A54A,00000066), ref: 01389676
                • Part of subcall function 0138963A: LockResource.KERNEL32(00000000,?,?,0138A54A,00000066), ref: 01389681
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
              • String ID:
              • API String ID: 142272564-0
              • Opcode ID: 5b5e145b70505fa18f56cc8fca4675788f1e14b55e870c9398363aaed51fa3f0
              • Instruction ID: 4c1b887d8be9737ee5ba335f3eac7d80a836b011e76d4d9356e7d315a34ebdda
              • Opcode Fuzzy Hash: 5b5e145b70505fa18f56cc8fca4675788f1e14b55e870c9398363aaed51fa3f0
              • Instruction Fuzzy Hash: 1901DF32540306A6D72133AC8C44F7F7B6E9BD5B6DF480021BB00A7284DE118C0293B0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01391A89, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 20%
              			E01391A89(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E013920D8(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0138F1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E013922DA(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E01391893(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0138F1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}












              0x01391a89
              0x01391a89
              0x01391a8c
              0x01391a91
              0x01391a94
              0x01391a96
              0x01391a99
              0x01391a9c
              0x01391a9d
              0x01391aa0
              0x01391aa5
              0x01391aa5
              0x01391aa8
              0x01391aac
              0x01391aaf
              0x01391ab4
              0x01391ab1
              0x01391ab1
              0x01391ab1
              0x01391ab7
              0x01391abd
              0x01391ac0
              0x01391ac2
              0x01391ac5
              0x01391ac8
              0x01391ac9
              0x01391ad2
              0x01391ad7
              0x01391ada
              0x01391ae0
              0x01391ae3
              0x01391ae6
              0x01391ae9
              0x01391aea
              0x01391aed
              0x01391af8
              0x01391afc
              0x00000000
              0x01391afc
              0x01391b03

              APIs
              • ___BuildCatchObject.LIBVCRUNTIME ref: 01391AA0
                • Part of subcall function 013920D8: ___AdjustPointer.LIBCMT ref: 01392122
              • _UnwindNestedFrames.LIBCMT ref: 01391AB7
              • ___FrameUnwindToState.LIBVCRUNTIME ref: 01391AC9
              • CallCatchBlock.LIBVCRUNTIME ref: 01391AED
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
              • String ID:
              • API String ID: 2633735394-0
              • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
              • Instruction ID: d17f8c609f26093ae73148f8513cd32503e4755f36f536e6dba78d9de05617a1
              • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
              • Instruction Fuzzy Hash: 9B01293200010ABBDF12AF99CC00EDA3FBAEF59728F044114FD1865120D336E8A1DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013915E6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E013915E6() {
				void* _t4;
				void* _t8;

				E013929B7();
				E0139294B();
				if(E0139268E() != 0) {
					_t4 = E01391726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E013926CA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





              0x013915e6
              0x013915eb
              0x013915f7
              0x013915fc
              0x01391601
              0x01391603
              0x0139160e
              0x01391605
              0x01391605
              0x00000000
              0x01391605
              0x013915f9
              0x013915f9
              0x013915fb
              0x013915fb

              APIs
              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 013915E6
              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 013915EB
              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 013915F0
                • Part of subcall function 0139268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0139269F
              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 01391605
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
              • String ID:
              • API String ID: 1761009282-0
              • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
              • Instruction ID: 7b002af631baa00c03020fd27ad36e3a6792c1084564cf733aaa01662260f901
              • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
              • Instruction Fuzzy Hash: BBC04C18400E53B0DF113ABD33107AF13040E724FD78A14C1ED52379165D45041B14B2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0138975D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
              Download Yara Rule
              C-Code - Quality: 51%
              			E0138975D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E0138960F() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0x13a33ac);
					_push(1);
					_push(0);
					_push(0x13a417c);
					if( *0x13adff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0x13a418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E0138E920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0x13adedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E01389954();
			}
























































              0x0138975d
              0x01389767
              0x01389782
              0x0138978e
              0x01389798
              0x0138979f
              0x013897a3
              0x013897a4
              0x013897aa
              0x013897ac
              0x013897ac
              0x013897b3
              0x013897b5
              0x013897b6
              0x013897be
              0x013897bf
              0x013897c0
              0x013897cd
              0x01389948
              0x00000000
              0x013897d3
              0x013897d3
              0x013897e3
              0x013897e8
              0x013897ec
              0x013897f9
              0x01389803
              0x01389804
              0x0138980a
              0x0138981c
              0x01389820
              0x01389822
              0x01389823
              0x01389825
              0x01389826
              0x01389827
              0x0138982a
              0x0138982b
              0x0138982c
              0x01389831
              0x01389835
              0x0138983b
              0x01389851
              0x01389859
              0x01389863
              0x01389869
              0x0138986d
              0x01389876
              0x0138987b
              0x0138987e
              0x01389895
              0x0138989b
              0x013898a9
              0x013898ab
              0x013898b7
              0x013898ba
              0x013898cf
              0x013898d2
              0x013898d6
              0x013898da
              0x013898de
              0x013898e5
              0x013898e9
              0x013898ed
              0x013898f6
              0x01389901
              0x01389906
              0x01389907
              0x0138990d
              0x01389914
              0x0138990f
              0x0138990f
              0x0138990f
              0x0138991a
              0x01389921
              0x01389921
              0x01389924
              0x0138992b
              0x0138992e
              0x01389935
              0x01389938
              0x0138993f
              0x01389944
              0x01389946
              0x01389946
              0x00000000
              0x01389944
              0x0138983d
              0x01389844
              0x01389844
              0x0138980c
              0x01389813
              0x01389816
              0x01389816
              0x013897f1
              0x00000000
              0x013897f1
              0x013897cd
              0x01389769
              0x0138976d
              0x01389771
              0x00000000

              APIs
                • Part of subcall function 0138960F: GetDC.USER32(00000000), ref: 01389613
                • Part of subcall function 0138960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0138961E
                • Part of subcall function 0138960F: ReleaseDC.USER32(00000000,00000000), ref: 01389629
              • GetObjectW.GDI32(?,00000018,?,00000000,?,77625B70), ref: 0138978E
                • Part of subcall function 01389954: GetDC.USER32(00000000), ref: 0138995D
                • Part of subcall function 01389954: GetObjectW.GDI32(?,00000018,?,?,?,77625B70,?,?,?,?,?,0138977A,?,?,?), ref: 0138998C
                • Part of subcall function 01389954: ReleaseDC.USER32(00000000,?), ref: 01389A20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ObjectRelease$CapsDevice
              • String ID: (
              • API String ID: 1061551593-3887548279
              • Opcode ID: ae1dc03f56998c837bd453904dc2f5f2d38d17000d286786fe6eb0b1f6692cb5
              • Instruction ID: 7ba60ed9c5727efdd9df6c24c986247e6b407268567f16dbb50be14b50c9998b
              • Opcode Fuzzy Hash: ae1dc03f56998c837bd453904dc2f5f2d38d17000d286786fe6eb0b1f6692cb5
              • Instruction Fuzzy Hash: 8F610271208305AFD210DFA8C884E6BBBE9FFC9608F10491DF699C7221D771E905CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01380A9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              C-Code - Quality: 17%
              			E01380A9F(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E0138C339();
						_t28 = E0137DA42(_t41, 0x96);
						return E01389735( *0x13b75d8, E0137DA42(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E0137DA42(_t41));
						_push( *_t44);
						L19:
						_t32 = E0138A57D();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M01380D63))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E0137DA42(__ecx, 0xc8) =  &_v516;
										__eax = E01373E41( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E0138A57D( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E0137DA42(_t41);
							L7:
							_push(0);
							L8:
							return E0138A57D();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M01380D0B))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E01389D55();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E0137DA42(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E0137DA42(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E0137DA42(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}













              0x01380a9f
              0x01380aa9
              0x01380aab
              0x01380aae
              0x01380ab1
              0x01380cd8
              0x01380cdb
              0x01380cdd
              0x01380ce9
              0x00000000
              0x01380d00
              0x01380ab7
              0x01380ab7
              0x01380cce
              0x01380bfb
              0x01380c00
              0x01380c01
              0x01380b3e
              0x01380b3e
              0x01380b07
              0x00000000
              0x01380b07
              0x01380abd
              0x01380ac0
              0x01380bc0
              0x01380bc3
              0x01380c83
              0x01380c83
              0x01380c86
              0x01380cc4
              0x00000000
              0x01380cc4
              0x01380c88
              0x01380c88
              0x01380c8b
              0x01380cbd
              0x00000000
              0x01380cbd
              0x01380c8d
              0x01380c8d
              0x01380c90
              0x01380cb0
              0x01380cb3
              0x00000000
              0x01380cb3
              0x01380c92
              0x01380c92
              0x01380c95
              0x01380ca6
              0x00000000
              0x01380ca6
              0x01380c97
              0x01380c97
              0x01380c9a
              0x01380c9c
              0x00000000
              0x01380c9c
              0x01380bc9
              0x01380bc9
              0x01380c7c
              0x00000000
              0x01380c7c
              0x01380bcf
              0x01380bd2
              0x01380bd5
              0x01380bdb
              0x00000000
              0x01380be2
              0x00000000
              0x00000000
              0x01380bec
              0x00000000
              0x00000000
              0x01380bf6
              0x00000000
              0x00000000
              0x01380c08
              0x00000000
              0x00000000
              0x01380c0c
              0x00000000
              0x00000000
              0x01380c10
              0x01380c13
              0x00000000
              0x00000000
              0x01380c1a
              0x00000000
              0x00000000
              0x01380c21
              0x00000000
              0x00000000
              0x01380c28
              0x01380c2b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01380c35
              0x01380c38
              0x00000000
              0x00000000
              0x01380c4d
              0x01380c59
              0x01380c5e
              0x01380c61
              0x01380c67
              0x00000000
              0x00000000
              0x01380bdb
              0x01380bd5
              0x01380ac6
              0x01380ac6
              0x01380bb7
              0x01380bb9
              0x01380b5b
              0x01380b5b
              0x01380ae3
              0x01380ae3
              0x01380ae5
              0x00000000
              0x01380aea
              0x01380acf
              0x01380ad5
              0x00000000
              0x01380af2
              0x01380af4
              0x01380af9
              0x00000000
              0x00000000
              0x01380adc
              0x01380ade
              0x00000000
              0x00000000
              0x01380b00
              0x01380b02
              0x00000000
              0x00000000
              0x01380b0d
              0x01380b10
              0x00000000
              0x00000000
              0x01380b1c
              0x01380b1f
              0x00000000
              0x00000000
              0x01380b23
              0x01380b26
              0x00000000
              0x00000000
              0x01380b2a
              0x01380b2d
              0x00000000
              0x00000000
              0x01380b34
              0x01380b36
              0x01380b3b
              0x01380b3c
              0x00000000
              0x00000000
              0x01380b46
              0x01380b49
              0x00000000
              0x00000000
              0x01380b4d
              0x01380b50
              0x00000000
              0x00000000
              0x01380b54
              0x01380b56
              0x00000000
              0x00000000
              0x01380b63
              0x01380b65
              0x00000000
              0x00000000
              0x01380b6c
              0x01380b6f
              0x00000000
              0x00000000
              0x01380b76
              0x01380b79
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01380b80
              0x01380b83
              0x01380b8b
              0x00000000
              0x00000000
              0x01380ba0
              0x01380ba3
              0x00000000
              0x00000000
              0x01380baa
              0x01380bad
              0x01380b12
              0x01380b17
              0x01380b18
              0x00000000
              0x00000000
              0x01380ad5
              0x01380acf
              0x01380ac0
              0x01380d09
              0x01380d09

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _swprintf
              • String ID: %ls$%s: %s
              • API String ID: 589789837-2259941744
              • Opcode ID: 218daa42a286d5c5440ba6ff8a6ce0bdf8f192bc738962a659b7440c6fe9ee7b
              • Instruction ID: 572a64ccc94b56ef565269fade48bd732a79967a2042e1ad2bf1eb7beab52dab
              • Opcode Fuzzy Hash: 218daa42a286d5c5440ba6ff8a6ce0bdf8f192bc738962a659b7440c6fe9ee7b
              • Instruction Fuzzy Hash: BA51D83128C309FAFB2E3FD88D46F26796DAB04B0CF408506B79B69CD5D5A2946C9612
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01399E43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E01399E43(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				signed int _t201;
				union _FINDEX_INFO_LEVELS _t202;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				void* _t212;
				intOrPtr _t213;
				void* _t214;
				signed int _t218;
				void* _t220;
				signed int _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;

				_t80 = _a8;
				_t223 = _t222 - 0x20;
				if(_t80 != 0) {
					_t207 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t198 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t207;
					if( *_t207 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t198;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t198;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t209 =  !_t207 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t209;
						if(_t209 != 0) {
							_t196 = _t198;
							_t157 = _t159;
							do {
								_t183 =  *_t196;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t196 = _t196 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t209;
							} while (_t144 != _t209);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t210 = E01396F0C(_t190, _v8, 1);
						_t224 = _t223 + 0xc;
						__eflags = _t210;
						if(_t210 != 0) {
							_t87 = _t210 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t198 - _t150;
							if(_t198 == _t150) {
								L23:
								_t199 = 0;
								__eflags = 0;
								 *_a8 = _t210;
								goto L24;
							} else {
								_t93 = _t210 - _t198;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t198;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0139DD71(_t163, _t191, _v20 - _t191 + _v8,  *_t198);
									_t224 = _t224 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E01397DBB();
										asm("int3");
										_t220 = _t224;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t198);
										_t201 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t201;
										if(_t166 <= (_t103 | 0xffffffff) - _t201) {
											_push(_t150);
											_t50 = _t201 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t212 = E01397B1B(_t166, _t153, 1);
											_t168 = _t210;
											__eflags = _t201;
											if(_t201 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t201;
												_t108 = E0139DD71(_t168, _t212 + _t201, _t153, _v0);
												_t225 = _t224 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E0139A212(_a12, _t192, __eflags, _t212);
													E01397A50(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t201);
												_t139 = E0139DD71(_t168, _t212, _t153, _a4);
												_t225 = _t224 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E01397DBB();
													asm("int3");
													_push(_t220);
													_t221 = _t225;
													_t226 = _t225 - 0x150;
													_t111 =  *0x13ad668; // 0x5221689b
													_v116 = _t111 ^ _t221;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t212);
													_t213 = _v96;
													_push(_t201);
													_v440 = _t213;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E0139DDC0(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t202 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E0138E920(_t202,  &_v336, _t202, 0x140);
														_t227 = _t226 + 0xc;
														_t214 = FindFirstFileExA(_t154, _t202,  &_v336, _t202, _t202, _t202);
														_t123 = _v340;
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t227 = _t227 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t214,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t194 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E01395030(_t154, _t202, _t214, _t194 + _t178 * 4, _t131 - _t178, 4, E01399E2B);
															}
														} else {
															_push(_t123);
															_push(_t202);
															_push(_t202);
															_push(_t154);
															L28();
															L54:
															_t202 = _t123;
														}
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															FindClose(_t214);
														}
														_t124 = _t202;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t213);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t221;
													return E0138E203(_t124, _v16 ^ _t221);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t195 = _v16;
									 *((intOrPtr*)(_v24 + _t198)) = _t195;
									_t198 = _t198 + 4;
									_t191 = _t195 + _v12;
									_v16 = _t195 + _v12;
									__eflags = _t198 - _t150;
								} while (_t198 != _t150);
								goto L23;
							}
						} else {
							_t199 = _t198 | 0xffffffff;
							L24:
							E01397A50(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E0139DD80( *_t207,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t207);
								L38();
								_t223 = _t223 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t207);
								L28();
								_t223 = _t223 + 0x10;
							}
							_t199 = _t146;
							__eflags = _t199;
							if(_t199 != 0) {
								break;
							}
							_t207 = _t207 + 4;
							_t159 = 0;
							__eflags =  *_t207;
							if( *_t207 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t198 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0139A1ED( &_v36);
						_t91 = _t199;
						goto L26;
					}
				} else {
					_t147 = E01397ECC();
					_t218 = 0x16;
					 *_t147 = _t218;
					E01397DAB();
					_t91 = _t218;
					L26:
					return _t91;
				}
				L68:
			}





















































































              0x01399e48
              0x01399e4b
              0x01399e51
              0x01399e69
              0x01399e6c
              0x01399e70
              0x01399e72
              0x01399e74
              0x01399e76
              0x01399e79
              0x01399e7c
              0x01399e7f
              0x01399e81
              0x01399ed9
              0x01399ed9
              0x01399edf
              0x01399ee1
              0x01399eec
              0x01399ef0
              0x01399ef2
              0x01399ef5
              0x01399ef9
              0x01399ef9
              0x01399efb
              0x01399efd
              0x01399eff
              0x01399f01
              0x01399f01
              0x01399f03
              0x01399f06
              0x01399f09
              0x01399f09
              0x01399f0b
              0x01399f0c
              0x01399f0c
              0x01399f17
              0x01399f19
              0x01399f1c
              0x01399f1d
              0x01399f20
              0x01399f20
              0x01399f24
              0x01399f27
              0x01399f2a
              0x01399f2a
              0x01399f38
              0x01399f3a
              0x01399f3d
              0x01399f3f
              0x01399f49
              0x01399f4c
              0x01399f4f
              0x01399f51
              0x01399f54
              0x01399f56
              0x01399fa6
              0x01399fa9
              0x01399fa9
              0x01399fab
              0x00000000
              0x01399f58
              0x01399f5a
              0x01399f5a
              0x01399f5c
              0x01399f5f
              0x01399f5f
              0x01399f64
              0x01399f67
              0x01399f67
              0x01399f69
              0x01399f6a
              0x01399f6a
              0x01399f6e
              0x01399f71
              0x01399f71
              0x01399f74
              0x01399f77
              0x01399f84
              0x01399f89
              0x01399f8c
              0x01399f8e
              0x01399fc8
              0x01399fc9
              0x01399fca
              0x01399fcb
              0x01399fcc
              0x01399fcd
              0x01399fd2
              0x01399fd6
              0x01399fd8
              0x01399fd9
              0x01399fdc
              0x01399fdc
              0x01399fdf
              0x01399fdf
              0x01399fe1
              0x01399fe2
              0x01399fe2
              0x01399feb
              0x01399fec
              0x01399fef
              0x01399ff2
              0x01399ff5
              0x01399ff7
              0x01399ffe
              0x0139a000
              0x0139a003
              0x0139a00d
              0x0139a010
              0x0139a011
              0x0139a013
              0x0139a027
              0x0139a027
              0x0139a02a
              0x0139a034
              0x0139a039
              0x0139a03c
              0x0139a03e
              0x00000000
              0x0139a040
              0x0139a044
              0x0139a04d
              0x0139a053
              0x00000000
              0x0139a056
              0x0139a015
              0x0139a015
              0x0139a01b
              0x0139a020
              0x0139a023
              0x0139a025
              0x0139a05c
              0x0139a05e
              0x0139a05f
              0x0139a060
              0x0139a061
              0x0139a062
              0x0139a063
              0x0139a068
              0x0139a06b
              0x0139a06c
              0x0139a06e
              0x0139a074
              0x0139a07b
              0x0139a07e
              0x0139a081
              0x0139a082
              0x0139a085
              0x0139a086
              0x0139a089
              0x0139a08a
              0x0139a0ab
              0x0139a0ab
              0x0139a0ad
              0x00000000
              0x00000000
              0x0139a092
              0x0139a094
              0x0139a096
              0x0139a098
              0x0139a09a
              0x0139a09c
              0x0139a09e
              0x0139a0a9
              0x00000000
              0x0139a0a9
              0x0139a09e
              0x0139a09a
              0x00000000
              0x0139a096
              0x0139a0af
              0x0139a0b1
              0x0139a0b4
              0x0139a0cd
              0x0139a0cd
              0x0139a0cf
              0x0139a0d2
              0x0139a0e2
              0x0139a0e4
              0x0139a0e4
              0x0139a0d4
              0x0139a0d4
              0x0139a0d7
              0x00000000
              0x0139a0d9
              0x0139a0d9
              0x0139a0dc
              0x00000000
              0x0139a0de
              0x0139a0de
              0x0139a0de
              0x0139a0dc
              0x0139a0d7
              0x0139a0f2
              0x0139a0f6
              0x0139a104
              0x0139a109
              0x0139a11e
              0x0139a120
              0x0139a126
              0x0139a129
              0x0139a15b
              0x0139a15b
              0x0139a160
              0x0139a166
              0x0139a166
              0x0139a16d
              0x0139a187
              0x0139a187
              0x0139a188
              0x0139a18e
              0x0139a194
              0x0139a195
              0x0139a196
              0x0139a19b
              0x0139a19e
              0x0139a1a0
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139a16f
              0x0139a16f
              0x0139a175
              0x0139a177
              0x00000000
              0x0139a179
              0x0139a179
              0x0139a17c
              0x00000000
              0x0139a17e
              0x0139a17e
              0x0139a185
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0139a185
              0x0139a17c
              0x0139a177
              0x00000000
              0x0139a1a2
              0x0139a1aa
              0x0139a1b0
              0x0139a1b2
              0x0139a1b2
              0x0139a1ba
              0x0139a1bf
              0x0139a1c7
              0x0139a1ca
              0x0139a1cc
              0x0139a1e0
              0x0139a1e5
              0x0139a12b
              0x0139a12b
              0x0139a12c
              0x0139a12d
              0x0139a12e
              0x0139a12f
              0x0139a137
              0x0139a137
              0x0139a137
              0x0139a139
              0x0139a13c
              0x0139a13f
              0x0139a13f
              0x0139a145
              0x0139a0b6
              0x0139a0b6
              0x0139a0b9
              0x0139a0bb
              0x00000000
              0x0139a0bd
              0x0139a0bd
              0x0139a0c0
              0x0139a0c1
              0x0139a0c2
              0x0139a0c3
              0x0139a0c8
              0x0139a0bb
              0x0139a147
              0x0139a14c
              0x0139a157
              0x00000000
              0x00000000
              0x00000000
              0x0139a025
              0x01399ff9
              0x01399ffb
              0x0139a057
              0x0139a05b
              0x0139a05b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x01399f90
              0x01399f93
              0x01399f96
              0x01399f99
              0x01399f9c
              0x01399f9f
              0x01399fa2
              0x01399fa2
              0x00000000
              0x01399f5f
              0x01399f41
              0x01399f41
              0x01399fad
              0x01399faf
              0x00000000
              0x01399fb4
              0x01399e83
              0x01399e83
              0x01399e86
              0x01399e8f
              0x01399e92
              0x01399e99
              0x01399e9b
              0x01399eb4
              0x01399eb5
              0x01399eb6
              0x01399eb8
              0x01399ebd
              0x01399e9d
              0x01399e9d
              0x01399ea0
              0x01399ea1
              0x01399ea3
              0x01399ea5
              0x01399ea7
              0x01399eac
              0x01399eac
              0x01399ec0
              0x01399ec2
              0x01399ec4
              0x00000000
              0x00000000
              0x01399eca
              0x01399ecd
              0x01399ecf
              0x01399ed1
              0x00000000
              0x01399ed3
              0x01399ed3
              0x01399ed6
              0x00000000
              0x01399ed6
              0x00000000
              0x01399ed1
              0x01399fb5
              0x01399fb8
              0x01399fbd
              0x00000000
              0x01399fc0
              0x01399e53
              0x01399e53
              0x01399e5a
              0x01399e5b
              0x01399e5d
              0x01399e62
              0x01399fc1
              0x01399fc5
              0x01399fc5
              0x00000000

              APIs
              • _free.LIBCMT ref: 01399FAF
                • Part of subcall function 01397DBB: IsProcessorFeaturePresent.KERNEL32(00000017,01397DAA,0000002C,013AA968,0139AF68,00000000,00000000,01398599,?,?,01397DB7,00000000,00000000,00000000,00000000,00000000), ref: 01397DBD
                • Part of subcall function 01397DBB: GetCurrentProcess.KERNEL32(C0000417,013AA968,0000002C,01397AE8,00000016,01398599), ref: 01397DDF
                • Part of subcall function 01397DBB: TerminateProcess.KERNEL32(00000000), ref: 01397DE6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
              • String ID: *?$.
              • API String ID: 2667617558-3972193922
              • Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
              • Instruction ID: 7d960145b65b78ab91f0d2c831fde9627d79c3e2e18ca5d7b5bf241f1e26bbfb
              • Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
              • Instruction Fuzzy Hash: 4D51B376E0020AAFDF15DFACC880AADFBF9EF48318F24416DE855E7341E6319A058B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01377570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E01377570(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0138D870(E013A1298, _t108);
				E0138D940();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0137FAB1(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E01377773(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0137FA89(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E01376EF9(_t108 - 0x307c);
							_push(0);
							_t54 = E0137A1B1(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0137A12F(_t106, _t85 & 0xfffffffe);
							}
							E0137943C(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E01379BE6(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E0137399D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E013794DA(_t108 - 0x2034);
								}
							}
							E0137943C(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E01379768(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E0137A12F(_t106,  *(_t108 - 0x2074));
							E0137946E(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E0137943C(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E0137399D(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E0137946E(_t90);
					} else {
						E01376BF5(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E01376E03(0x13b00e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0137FAB1(_t108 - 0x1010, 0x13a2490, 0x802);
					E0137FA89(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}















              0x01377570
              0x01377575
              0x0137757f
              0x01377586
              0x0137758f
              0x013775be
              0x013775be
              0x013775cc
              0x013775d1
              0x013775d1
              0x013775e1
              0x013775e6
              0x013775ee
              0x0137760d
              0x01377611
              0x0137764e
              0x01377659
              0x01377666
              0x01377669
              0x0137766e
              0x01377674
              0x01377677
              0x0137767a
              0x0137767c
              0x01377681
              0x01377681
              0x0137768c
              0x01377699
              0x013776a7
              0x013776ac
              0x013776ae
              0x013776b0
              0x013776b9
              0x013776ba
              0x013776bb
              0x013776c0
              0x013776c2
              0x013776ca
              0x013776ca
              0x013776c2
              0x013776d5
              0x013776da
              0x013776de
              0x013776e2
              0x013776ed
              0x013776f2
              0x013776f4
              0x01377711
              0x01377711
              0x013776f4
              0x0137771e
              0x01377729
              0x0137772e
              0x01377613
              0x01377619
              0x0137761e
              0x01377628
              0x01377629
              0x0137762c
              0x0137762f
              0x01377634
              0x01377634
              0x01377734
              0x013775f0
              0x013775f7
              0x01377603
              0x01377603
              0x0137773f
              0x01377749
              0x01377749
              0x01377591
              0x01377595
              0x00000000
              0x01377597
              0x01377597
              0x013775a9
              0x013775b7
              0x00000000
              0x013775b7

              APIs
              • __EH_prolog.LIBCMT ref: 01377575
              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 01377711
                • Part of subcall function 0137A12F: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,01379F65,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 0137A143
                • Part of subcall function 0137A12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,01379F65,?,?,?,01379DFE,?,00000001,00000000,?,?), ref: 0137A174
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Attributes$H_prologTime
              • String ID: :
              • API String ID: 1861295151-336475711
              • Opcode ID: c8637740597b0eed79a295fe654b9ea7638090604fe09a967614350cf8c1eee8
              • Instruction ID: 4a9b0652868ee90801568b2c252ac3e53e775b648ae57c7591b08a6a6dda83a3
              • Opcode Fuzzy Hash: c8637740597b0eed79a295fe654b9ea7638090604fe09a967614350cf8c1eee8
              • Instruction Fuzzy Hash: 3C419071800259AAEB35EB68CC58FEFB77CAF55358F404199A605A7081DB789F88CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137B32C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
              Download Yara Rule
              C-Code - Quality: 81%
              			E0137B32C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0138D940();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0137B4C6(_t71);
					_t66 = E01392B33(_t71);
					_t30 = E0137B4F2(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0137B5CD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0137AEA5(__eflags,  &_v4100, 0x800);
							_t39 = E01392B33( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0137FAB1(_a8, L"\\\\?\\", _t69);
							E0137FA89(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0137B5CD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0137FA89(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0137FAB1(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0137FA89(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0137B4C6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0137FAB1(_a8, L"\\\\?\\", _t73);
						E0137FA89(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0137FAB1(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}
















              0x0137b334
              0x0137b33a
              0x0137b341
              0x0137b34d
              0x0137b35a
              0x0137b35c
              0x0137b361
              0x0137b363
              0x0137b3e9
              0x0137b3ef
              0x0137b3f1
              0x0137b4b0
              0x0137b4b0
              0x0137b4b0
              0x0137b4b2
              0x00000000
              0x0137b4b3
              0x0137b3f7
              0x0137b3f9
              0x00000000
              0x00000000
              0x0137b408
              0x0137b40a
              0x0137b44f
              0x0137b45b
              0x0137b465
              0x0137b469
              0x0137b46b
              0x00000000
              0x00000000
              0x0137b476
              0x0137b486
              0x0137b48b
              0x0137b48f
              0x0137b49b
              0x0137b49d
              0x0137b49f
              0x0137b49f
              0x0137b49f
              0x0137b49d
              0x0137b4a2
              0x0137b4a2
              0x0137b4a3
              0x0137b4a3
              0x0137b4a4
              0x0137b4a4
              0x0137b4a7
              0x0137b4ac
              0x00000000
              0x0137b4ac
              0x0137b40c
              0x0137b40f
              0x0137b412
              0x0137b414
              0x00000000
              0x00000000
              0x0137b423
              0x0137b42a
              0x0137b43c
              0x00000000
              0x0137b43c
              0x0137b366
              0x0137b36b
              0x0137b36d
              0x0137b395
              0x0137b396
              0x0137b399
              0x00000000
              0x00000000
              0x0137b39f
              0x0137b3a2
              0x0137b3a5
              0x00000000
              0x00000000
              0x0137b3ab
              0x0137b3ae
              0x0137b3b1
              0x0137b3b3
              0x00000000
              0x00000000
              0x0137b3c2
              0x0137b3d0
              0x0137b3d5
              0x0137b3d6
              0x00000000
              0x0137b3d6
              0x0137b36f
              0x0137b372
              0x0137b375
              0x00000000
              0x00000000
              0x0137b386
              0x0137b38b
              0x00000000
              0x0137b343
              0x0137b343
              0x0137b4b4
              0x0137b4b8
              0x0137b4b8

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: UNC$\\?\
              • API String ID: 0-253988292
              • Opcode ID: 4c0c40dc5628439ffaf3d81b0b23f074acdd9ec03cdcb687419f22e443c2c553
              • Instruction ID: 7c07c09b7506f08cb55a1b30a48c5862bddbfc12082dbb82b85a68a27f7675ea
              • Opcode Fuzzy Hash: 4c0c40dc5628439ffaf3d81b0b23f074acdd9ec03cdcb687419f22e443c2c553
              • Instruction Fuzzy Hash: 55419E3140021ABADF31AF69CC44EABBBBDBF1566DB008465F954A3244D77C9A808FA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01388A07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
              Download Yara Rule
              C-Code - Quality: 70%
              			E01388A07(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E0138D82C(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E013883B5(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E01389184( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E0138931D( *((intOrPtr*)(_t43 + 0xc)), 1);
					E013892D3( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E01389238( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E01388581(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0x13a412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}














              0x01388a08
              0x01388a0d
              0x01388a11
              0x01388a14
              0x01388a19
              0x01388a20
              0x01388a2b
              0x01388a2b
              0x01388a22
              0x01388a24
              0x01388a24
              0x01388a2d
              0x01388a32
              0x01388abd
              0x01388a38
              0x01388a3a
              0x01388a45
              0x01388a4f
              0x01388a59
              0x01388a61
              0x01388a66
              0x01388a6a
              0x01388a8c
              0x01388a8e
              0x01388a91
              0x01388a95
              0x01388a9a
              0x01388a9d
              0x01388a9e
              0x01388a9f
              0x01388aa0
              0x01388aa3
              0x01388aa5
              0x01388aa6
              0x01388aa9
              0x01388ab0
              0x01388aab
              0x01388aab
              0x01388aab
              0x01388ab6
              0x01388ab6
              0x01388ab9
              0x00000000
              0x01388aba
              0x01388a6e
              0x01388a6e
              0x01388a78
              0x01388a7f
              0x01388a84
              0x00000000
              0x00000000
              0x01388a86
              0x00000000
              0x01388a86

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: Shell.Explorer$about:blank
              • API String ID: 0-874089819
              • Opcode ID: 70b70eef0d7e7e5b289b6df21a4d69620c713bff837f94930bf98b46ff6c923e
              • Instruction ID: 3b281254d00cf6fb1a9500ef4e9a242a93d391327e72630eb1f44e5d2c38619c
              • Opcode Fuzzy Hash: 70b70eef0d7e7e5b289b6df21a4d69620c713bff837f94930bf98b46ff6c923e
              • Instruction Fuzzy Hash: 9F21627170070AAFE704BBB8C890E36F768FF9521CB444559E21597681DBB4E811CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137E862, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
              Download Yara Rule
              C-Code - Quality: 20%
              			E0137E862(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0x13b7358; // 0x0
				if(_t11 == 0) {
					E0137E7E3(0x13b7350);
					_t11 =  *0x13b7358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0x13b735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0x13b00e0);
							_t13 = E01376CC9(E0138E214(E01376CCE(_t22)), 0x13b00e0, 0x13b00e0, 2);
						}
					}
				}
				return _t13;
			}

















              0x0137e862
              0x0137e862
              0x0137e865
              0x0137e86c
              0x0137e873
              0x0137e878
              0x0137e878
              0x0137e87e
              0x0137e885
              0x0137e88b
              0x0137e892
              0x0137e8c7
              0x0137e8ce
              0x00000000
              0x0137e8d0
              0x0137e8d5
              0x0137e8d9
              0x0137e8db
              0x00000000
              0x0137e8db
              0x0137e8d9
              0x0137e894
              0x0137e896
              0x0137e8e2
              0x0137e8e2
              0x0137e8e3
              0x0137e8e9
              0x0137e8eb
              0x0137e8ef
              0x0137e8f1
              0x0137e8f2
              0x0137e8f5
              0x0137e8f8
              0x0137e8fb
              0x0137e8fe
              0x0137e900
              0x0137e901
              0x0137e905
              0x0137e898
              0x0137e89d
              0x0137e8a1
              0x0137e8a3
              0x0137e8a8
              0x0137e8ad
              0x0137e8c0
              0x0137e8c0
              0x0137e8a1
              0x0137e896
              0x0137e909

              APIs
                • Part of subcall function 0137E7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0137E802
                • Part of subcall function 0137E7E3: GetProcAddress.KERNEL32(013B7350,CryptUnprotectMemory), ref: 0137E812
              • GetCurrentProcessId.KERNEL32(?,?,?,0137E85C), ref: 0137E8E3
              Strings
              • CryptUnprotectMemory failed, xrefs: 0137E8DB
              • CryptProtectMemory failed, xrefs: 0137E8A3
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$CurrentProcess
              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
              • API String ID: 2190909847-396321323
              • Opcode ID: 0a01272ec2329c064a50f1e4463546cbeb7d5f9d5e5b645f70debd178f7bbb8f
              • Instruction ID: 03008d00c80a6558e8bd869d55140c8061d9dc4880370f2e6882784eb7f1791e
              • Opcode Fuzzy Hash: 0a01272ec2329c064a50f1e4463546cbeb7d5f9d5e5b645f70debd178f7bbb8f
              • Instruction Fuzzy Hash: EA11083170121A6BEB369A3DCC81A7A3B99DF85E5CF4840B9F905DA182EB68D9408291
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013712D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E013712D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0137D6E4(0x13b0078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0137D70B(0x13b0078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x13adfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x13a22e4);
								}
							}
						}
					}
				}
				return 0;
			}





              0x013712de
              0x01371341
              0x013712e0
              0x013712e0
              0x013712e7
              0x013712fd
              0x01371306
              0x0137130b
              0x01371313
              0x0137131b
              0x01371323
              0x01371331
              0x01371331
              0x01371323
              0x01371313
              0x01371306
              0x013712e7
              0x01371349

              APIs
                • Part of subcall function 0137D70B: _swprintf.LIBCMT ref: 0137D731
                • Part of subcall function 0137D70B: _strlen.LIBCMT ref: 0137D752
                • Part of subcall function 0137D70B: SetDlgItemTextW.USER32(?,013AD154,?), ref: 0137D7B2
                • Part of subcall function 0137D70B: GetWindowRect.USER32(?,?), ref: 0137D7EC
                • Part of subcall function 0137D70B: GetClientRect.USER32(?,?), ref: 0137D7F8
              • GetDlgItem.USER32(00000000,00003021), ref: 0137131B
              • SetWindowTextW.USER32(00000000,013A22E4), ref: 01371331
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemRectTextWindow$Client_strlen_swprintf
              • String ID: 0
              • API String ID: 2622349952-4108050209
              • Opcode ID: 9e87769a571131f2f8886dbed470bfebaec2c5c52847f9dae2eda07581a62f56
              • Instruction ID: 5d7d2846c958edcec7ab8f5e98c82bbd06c99ba711b3ca0ad8c544d9d7b48fc7
              • Opcode Fuzzy Hash: 9e87769a571131f2f8886dbed470bfebaec2c5c52847f9dae2eda07581a62f56
              • Instruction Fuzzy Hash: A4F04FB154024CABFF361EA89848AFA3F6DAF1434CF448104FE8495991C77CC198EB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 013804BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E013804BA(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E01376CC9(E01376CCE(_t6, 0x13b00e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x13b00e0, 0x13b00e0, 2);
				}
				return _t2;
			}






              0x013804ba
              0x013804c0
              0x013804c9
              0x013804d2
              0x00000000
              0x013804f1
              0x013804f2

              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,013805D9,?,?,0138064E,?,?,?,?,?,01380638), ref: 013804C0
              • GetLastError.KERNEL32(?,?,0138064E,?,?,?,?,?,01380638), ref: 013804CC
                • Part of subcall function 01376CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01376CEC
              Strings
              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 013804D5
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
              • String ID: WaitForMultipleObjects error %d, GetLastError %d
              • API String ID: 1091760877-2248577382
              • Opcode ID: 786a986bf4aa5043dfafc7f065b5e9bd9c1c07991167176aa1e10c9d03c687b4
              • Instruction ID: 9a81097a8e0503f575f700a4420c14b36edc66618c2dca5e62f068fce3e8d9a4
              • Opcode Fuzzy Hash: 786a986bf4aa5043dfafc7f065b5e9bd9c1c07991167176aa1e10c9d03c687b4
              • Instruction Fuzzy Hash: 7AD02B7184843327DA20332C6C0ADAF340ACB11738F908308F535612D9CA100C5483D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0137D6C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0137D6C1(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}





              0x0137d6c4
              0x0137d6d4
              0x0137d6dc
              0x0137d6de
              0x00000000
              0x0137d6de
              0x0137d6e3

              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,0137CFBE,?), ref: 0137D6C6
              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0137CFBE,?), ref: 0137D6D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.285871241.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true
              • Associated: 00000000.00000002.285867048.0000000001370000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285891508.00000000013A2000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.285899091.00000000013AD000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285904734.00000000013B4000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285909730.00000000013D0000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.285914433.00000000013D1000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FindHandleModuleResource
              • String ID: RTL
              • API String ID: 3537982541-834975271
              • Opcode ID: eb5642dc9cd7b40950af7a0123a5755056fa4184ebca408f41d192ee452d6fde
              • Instruction ID: 9352a6bce3cbeec0ba9c0cef783174859ef23ae2fb525d6445850ebcb2633dac
              • Opcode Fuzzy Hash: eb5642dc9cd7b40950af7a0123a5755056fa4184ebca408f41d192ee452d6fde
              • Instruction Fuzzy Hash: C6C0123128231166EB3457756C0DB833E4EBB00B26F99044CFA85DA284DAE9C440C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: plfiqbrm.pif PID: 1700 Parent PID: 1500 plfiqbrm.pifCOMMON

              Executed Functions

              Function 00BE98F0, Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00BE9911
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • _memmove.LIBCMT ref: 00BE995C
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00BE99A3
              • _memmove.LIBCMT ref: 00BE9FE6
              • _memmove.LIBCMT ref: 00BEA914
              • _memmove.LIBCMT ref: 00C09769
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
              • String ID:
              • API String ID: 2383988440-0
              • Opcode ID: e04d1efab99ad41e95c97004dc3de696b9622d73a5c09cec4c9d46c85d6867aa
              • Instruction ID: eec4e72e144d92f3e100e3eecc1eed28188621fe2edeb113980d0cbce2fdb694
              • Opcode Fuzzy Hash: e04d1efab99ad41e95c97004dc3de696b9622d73a5c09cec4c9d46c85d6867aa
              • Instruction Fuzzy Hash: 84134A74A08381DFC724DF29C481B2AB7E5FF89300F2489A9E5568B392D771ED45CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2BCB3, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BEF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\68821130\mofcxpne.aan,00BEF1F5,C:\Users\user\68821130\mofcxpne.aan,00C890E8,C:\Users\user\68821130\mofcxpne.aan,?,00BEF1F5,?,?,00000001), ref: 00BEF23C
                • Part of subcall function 00C138ED: __wsplitpath.LIBCMT ref: 00C13913
                • Part of subcall function 00C138ED: __wsplitpath.LIBCMT ref: 00C13935
                • Part of subcall function 00C138ED: __wcsicoll.LIBCMT ref: 00C13959
                • Part of subcall function 00C1397D: GetFileAttributesW.KERNEL32(?), ref: 00C13984
              • _wcscat.LIBCMT ref: 00C2BD20
              • _wcscat.LIBCMT ref: 00C2BD49
              • __wsplitpath.LIBCMT ref: 00C2BD76
              • FindFirstFileW.KERNEL32(?,?), ref: 00C2BD8E
              • _wcscpy.LIBCMT ref: 00C2BDFD
              • _wcscat.LIBCMT ref: 00C2BE0F
              • _wcscat.LIBCMT ref: 00C2BE21
              • lstrcmpiW.KERNEL32(?,?), ref: 00C2BE4D
              • DeleteFileW.KERNEL32(?), ref: 00C2BE5F
              • MoveFileW.KERNEL32(?,?), ref: 00C2BE7F
              • CopyFileW.KERNEL32(?,?,00000000), ref: 00C2BE96
              • DeleteFileW.KERNEL32(?), ref: 00C2BEA1
              • CopyFileW.KERNEL32(?,?,00000000), ref: 00C2BEB8
              • FindClose.KERNEL32(00000000), ref: 00C2BEBF
              • MoveFileW.KERNEL32(?,?), ref: 00C2BEDB
              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00C2BEF0
              • FindClose.KERNEL32(00000000), ref: 00C2BF08
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
              • String ID: \*.*
              • API String ID: 2188072990-1173974218
              • Opcode ID: 36ff429d6d2fd402cd413c39af7cb0a10265cc87313932edf00b5ddba9c69a22
              • Instruction ID: f1f0f8b8caa2499aa108f464684845564d3aeed4c69baeb06c47f334865d7f46
              • Opcode Fuzzy Hash: 36ff429d6d2fd402cd413c39af7cb0a10265cc87313932edf00b5ddba9c69a22
              • Instruction Fuzzy Hash: 685143B2408384AAC730DBA4DC85FEF73E8AB95310F444E5DF69982081EB75D749C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE35F0, Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00BE3681
              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00BE3697
              • __wsplitpath.LIBCMT ref: 00BE36C2
                • Part of subcall function 00BF392E: __wsplitpath_helper.LIBCMT ref: 00BF3970
              • _wcscpy.LIBCMT ref: 00BE36D7
              • _wcscat.LIBCMT ref: 00BE36EC
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BE36FC
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
                • Part of subcall function 00BE3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00BE378C,?,?,?,00000010), ref: 00BE3D38
                • Part of subcall function 00BE3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00BE3D71
              • _wcscpy.LIBCMT ref: 00BE37D0
              • _wcslen.LIBCMT ref: 00BE3853
              • _wcslen.LIBCMT ref: 00BE38AD
              Strings
              • Unterminated string, xrefs: 00C082C6
              • Error opening the file, xrefs: 00C081AF
              • _, xrefs: 00BE394C
              • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00C0817E
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
              • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
              • API String ID: 3393021363-188983378
              • Opcode ID: c2a060336f326185a11419a1e4335a7533451da13aed31d2943c2214e013c370
              • Instruction ID: 8a49c424f107165e27b1c7f23b573d9fe53b3410b86a3920ad3c7ed04381fd69
              • Opcode Fuzzy Hash: c2a060336f326185a11419a1e4335a7533451da13aed31d2943c2214e013c370
              • Instruction Fuzzy Hash: C1D1D0B1508385AAD710EF65C885AAFB7E8EF85700F048DADF5C643242DB74DA49C7A3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BED7A0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00BED7BA
                • Part of subcall function 00BE2190: __wcsicoll.LIBCMT ref: 00BE2262
                • Part of subcall function 00BE2190: __wcsicoll.LIBCMT ref: 00BE2278
                • Part of subcall function 00BE2190: __wcsicoll.LIBCMT ref: 00BE228E
                • Part of subcall function 00BE2190: __wcsicoll.LIBCMT ref: 00BE22A4
                • Part of subcall function 00BE2190: _wcscpy.LIBCMT ref: 00BE22C4
              • IsDebuggerPresent.KERNEL32 ref: 00BED7C6
              • GetFullPathNameW.KERNEL32(C:\Users\user\68821130\mofcxpne.aan,00000104,?,00C87F50,00C87F54), ref: 00BED82D
                • Part of subcall function 00BE16A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00BE16E5
              • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00BED8A2
              • MessageBoxA.USER32 ref: 00C0E14F
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00C0E1A3
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C0E1D3
              • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00C0E21D
              • ShellExecuteW.SHELL32(00000000), ref: 00C0E224
                • Part of subcall function 00BF03E0: GetSysColorBrush.USER32 ref: 00BF03EB
                • Part of subcall function 00BF03E0: LoadCursorW.USER32 ref: 00BF03FA
                • Part of subcall function 00BF03E0: LoadIconW.USER32 ref: 00BF0410
                • Part of subcall function 00BF03E0: LoadIconW.USER32 ref: 00BF0423
                • Part of subcall function 00BF03E0: LoadIconW.USER32 ref: 00BF0436
                • Part of subcall function 00BF03E0: LoadImageW.USER32 ref: 00BF045E
                • Part of subcall function 00BF03E0: RegisterClassExW.USER32 ref: 00BF04AD
                • Part of subcall function 00BF0350: CreateWindowExW.USER32 ref: 00BF0385
                • Part of subcall function 00BF0350: CreateWindowExW.USER32 ref: 00BF03AE
                • Part of subcall function 00BF0350: ShowWindow.USER32(?,00000000), ref: 00BF03C4
                • Part of subcall function 00BF0350: ShowWindow.USER32(?,00000000), ref: 00BF03CE
                • Part of subcall function 00BEE2C0: Shell_NotifyIconW.SHELL32 ref: 00BEE3A7
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__wcscpy
              • String ID: AutoIt$C:\Users\user\68821130\mofcxpne.aan$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
              • API String ID: 1688597619-2272884930
              • Opcode ID: 3d12d21404188496d83c2cc22e9a752b343eb32d6a9c7512be4fa92b4cab5db7
              • Instruction ID: b9d5623731150904c9c577e7f23e1f89d0f17c0bbf6c107ad01d6192ec91fe24
              • Opcode Fuzzy Hash: 3d12d21404188496d83c2cc22e9a752b343eb32d6a9c7512be4fa92b4cab5db7
              • Instruction Fuzzy Hash: 67412671A082846BDB20FBE6DC45BED37B8AB08710F5402E4F645532D2DBB48A88CB25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13EC5, Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00C13EE2
              • Process32FirstW.KERNEL32 ref: 00C13EF2
              • Process32NextW.KERNEL32 ref: 00C13F1D
              • __wsplitpath.LIBCMT ref: 00C13F48
                • Part of subcall function 00BF392E: __wsplitpath_helper.LIBCMT ref: 00BF3970
              • _wcscat.LIBCMT ref: 00C13F5B
              • __wcsicoll.LIBCMT ref: 00C13F6B
              • FindCloseChangeNotification.KERNEL32(00000000), ref: 00C13FA4
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
              • String ID:
              • API String ID: 2431060436-0
              • Opcode ID: d65ebb055ee8edcefc9a6757c5a710dc99b49b0df742b8ad47a779a9096f3101
              • Instruction ID: 9f532d820b695341254389d0509d8963ba8ce78aa0075066bb9683cdd9235f10
              • Opcode Fuzzy Hash: d65ebb055ee8edcefc9a6757c5a710dc99b49b0df742b8ad47a779a9096f3101
              • Instruction Fuzzy Hash: 12218276900249ABDB21DF94DC84BEEB7F8AB49304F1045D9F60997240E775ABC5CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEEE30, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(uxtheme.dll,00BEEE15,00BED92E), ref: 00BEEE3B
              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00BEEE4D
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: IsThemeActive$uxtheme.dll
              • API String ID: 2574300362-3542929980
              • Opcode ID: 90740f5104493b8ef5e608516b28686eab5c1dd8748dc7e6c65bf6538452fa4c
              • Instruction ID: 7818660f4344399304bcc9422d9e9aa023eb78dbe28423c3ff5c5757d665ddce
              • Opcode Fuzzy Hash: 90740f5104493b8ef5e608516b28686eab5c1dd8748dc7e6c65bf6538452fa4c
              • Instruction Fuzzy Hash: 50D0C9F4900B43DAD7340F22D84D706B7E8BB00B45F104878E5A191264DBB5C4848A24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1399B, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNEL32(?,00000000), ref: 00C139AC
              • FindFirstFileW.KERNEL32(?,?), ref: 00C139BD
              • FindClose.KERNEL32(00000000), ref: 00C139D0
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: d894c7e8b5057e9b595dca49ee17966b0e482a326eb659d8a034753df862834c
              • Instruction ID: b7e70a0a4ccd92f017854ce986ba867a16c6256c168315a76f6bcce1dbd23892
              • Opcode Fuzzy Hash: d894c7e8b5057e9b595dca49ee17966b0e482a326eb659d8a034753df862834c
              • Instruction Fuzzy Hash: A7E092328189149B8A20AB78AC095ED779CDB4733AF000B42FE38C21D0D7B09E9057D6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BFF170, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F12E), ref: 00BFF175
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 8640d86e3d63f42ad479cbe4cf9563eb6ae7404ccda04d93cc5cbe9cfa2126fd
              • Instruction ID: a4798f6f45c334978454da9121e603ec6ffab1ef5c37b2e9375079c0305838db
              • Opcode Fuzzy Hash: 8640d86e3d63f42ad479cbe4cf9563eb6ae7404ccda04d93cc5cbe9cfa2126fd
              • Instruction Fuzzy Hash: 7390026465150696471417B19D0972A25D89E5860274104B8A201D9974DB9881089611
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3C50, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsnicmp
              • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-3360698832
              • Opcode ID: 54df5b319a8432a3eceb8fc1afb3100e1217dd6a63675690047ebb9b1f84cf09
              • Instruction ID: 7743c36d2db2f05ccc41c73312c77cbaf5b8208af77c693e1579ab06015f21ed
              • Opcode Fuzzy Hash: 54df5b319a8432a3eceb8fc1afb3100e1217dd6a63675690047ebb9b1f84cf09
              • Instruction Fuzzy Hash: F261F471640715A7E720AA309C82FAF33D89F14B00F248064FD45AB2C2EFB5EB59D6A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE9430, Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$Peek$DispatchSleepTranslate
              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
              • API String ID: 1762048999-758534266
              • Opcode ID: 8b03b71830c804d43c188052d441fd04d9d06b5a9c3915c6c1a9d8dab391506f
              • Instruction ID: dae51a94812517a7e37241e3b95cdfd475762567fed2b637b8bca117982f62d8
              • Opcode Fuzzy Hash: 8b03b71830c804d43c188052d441fd04d9d06b5a9c3915c6c1a9d8dab391506f
              • Instruction Fuzzy Hash: 19622170208382DFD724DF65C884BAAB7E4FF85304F10495DF56A87291DB74E989CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4AB4D, Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32 ref: 00C4AC5C
              • RegCreateKeyExW.KERNEL32(?,?,00000000,00C64E64,00000000,?,00000000,?,?,?), ref: 00C4ACB6
              • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 00C4AD00
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseConnectCreateRegistry
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 3217815495-966354055
              • Opcode ID: fa7e8542b36b6dba81eac3ae18f5b667602ae0e303ce13a171d2d5f620a98403
              • Instruction ID: 60def011449ec1e23db4e88c1aef513320269c4700fae0f9a81464d68f95c6dc
              • Opcode Fuzzy Hash: fa7e8542b36b6dba81eac3ae18f5b667602ae0e303ce13a171d2d5f620a98403
              • Instruction Fuzzy Hash: 76E16EB1A04241ABDB10EF65CC85F2BB7E8BF88700F14895CF9499B252DB74ED05CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4ED23, Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
              • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 00C4EE0E
              • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 00C4F1FA
              • IsWindow.USER32(?), ref: 00C4F22F
              • GetDesktopWindow.USER32 ref: 00C4F2EB
              • EnumChildWindows.USER32 ref: 00C4F2F2
              • EnumWindows.USER32 ref: 00C4F2FA
                • Part of subcall function 00C259E6: _wcslen.LIBCMT ref: 00C259F6
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
              • API String ID: 329138477-1919597938
              • Opcode ID: 797c203e1cb4b849d2ba59997cc77e7b3a561fef1af84be323245b1af847148d
              • Instruction ID: 9deb868f53b3ab61ddb1b11726b28d31e5fe174fa20946ef94da34dbcf80327c
              • Opcode Fuzzy Hash: 797c203e1cb4b849d2ba59997cc77e7b3a561fef1af84be323245b1af847148d
              • Instruction Fuzzy Hash: A7F1D4725143419BCB14EF60D882AAFB7F8BF95304F04496DF9455B242DBB1EA09CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3CD0B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
              Download Yara Rule
              APIs
              • _wcsncpy.LIBCMT ref: 00C3CE26
              • __wsplitpath.LIBCMT ref: 00C3CE65
              • _wcscat.LIBCMT ref: 00C3CE78
              • _wcscat.LIBCMT ref: 00C3CE8B
              • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CE9F
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CEB2
                • Part of subcall function 00C1397D: GetFileAttributesW.KERNEL32(?), ref: 00C13984
              • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CEF2
              • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CF0A
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CF1B
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CF2C
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CF40
              • _wcscpy.LIBCMT ref: 00C3CF4E
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 00C3CF91
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
              • String ID: *.*
              • API String ID: 1153243558-438819550
              • Opcode ID: 222c6a829aa956452f8e6b25ea79f75569b50a07ecfdc9ee80708eafbd188c46
              • Instruction ID: 57ef863465098dc335bfc2a20b88851ef9a2300aad8156e3572cc854246e54b7
              • Opcode Fuzzy Hash: 222c6a829aa956452f8e6b25ea79f75569b50a07ecfdc9ee80708eafbd188c46
              • Instruction Fuzzy Hash: 6F71A072910208ABCB34EB65CCC4AEDB7B4AB54300F1489AAF519F7240E7759FC4CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEE560, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00BEE5FF
              • __wsplitpath.LIBCMT ref: 00BEE61C
                • Part of subcall function 00BF392E: __wsplitpath_helper.LIBCMT ref: 00BF3970
              • _wcsncat.LIBCMT ref: 00BEE633
              • __wmakepath.LIBCMT ref: 00BEE64F
                • Part of subcall function 00BF39BE: __wmakepath_s.LIBCMT ref: 00BF39D4
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
              • _wcscpy.LIBCMT ref: 00BEE687
                • Part of subcall function 00BEE6C0: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,00BEE6A1), ref: 00BEE6DD
              • _wcscat.LIBCMT ref: 00C07324
              • _wcslen.LIBCMT ref: 00C07334
              • _wcslen.LIBCMT ref: 00C07345
              • _wcscat.LIBCMT ref: 00C0735F
              • _wcsncpy.LIBCMT ref: 00C0739F
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
              • String ID: Include$\
              • API String ID: 3173733714-3429789819
              • Opcode ID: 7d22b514daf4e19265210013e9f719d96bfffbb57020160f4ae8676dc51053fd
              • Instruction ID: 7154d029d99416ba2182b9a42dfeb7315ef3912cd6fbc877d67063f16dcadf1e
              • Opcode Fuzzy Hash: 7d22b514daf4e19265210013e9f719d96bfffbb57020160f4ae8676dc51053fd
              • Instruction Fuzzy Hash: A95194B18083459BC310EFA9DC89B7E73F8FB88300F444A5DF599872A1E7709608CB5A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF04E0, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32 ref: 00BF0513
              • RegisterClassExW.USER32 ref: 00BF053D
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF054E
              • InitCommonControlsEx.COMCTL32(00C890E8), ref: 00BF056B
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF057B
              • LoadIconW.USER32 ref: 00BF0592
              • ImageList_ReplaceIcon.COMCTL32(017CE5E8,000000FF,00000000), ref: 00BF05A2
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 06e1de3e75f060837162ece8dddd184e9f1f0726db56e60a9b9834f8677044f6
              • Instruction ID: dabbcc11bf232eba27f61968b14240a59ea25a3086a64ef83bebff7b3f714488
              • Opcode Fuzzy Hash: 06e1de3e75f060837162ece8dddd184e9f1f0726db56e60a9b9834f8677044f6
              • Instruction Fuzzy Hash: 2121F7B4900218AFDB20DFA5E889B9DBBB5FB08711F50821AF905A6390D7B14544CF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF03E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32 ref: 00BF03EB
              • LoadCursorW.USER32 ref: 00BF03FA
              • LoadIconW.USER32 ref: 00BF0410
              • LoadIconW.USER32 ref: 00BF0423
              • LoadIconW.USER32 ref: 00BF0436
              • LoadImageW.USER32 ref: 00BF045E
              • RegisterClassExW.USER32 ref: 00BF04AD
                • Part of subcall function 00BF04E0: GetSysColorBrush.USER32 ref: 00BF0513
                • Part of subcall function 00BF04E0: RegisterClassExW.USER32 ref: 00BF053D
                • Part of subcall function 00BF04E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF054E
                • Part of subcall function 00BF04E0: InitCommonControlsEx.COMCTL32(00C890E8), ref: 00BF056B
                • Part of subcall function 00BF04E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF057B
                • Part of subcall function 00BF04E0: LoadIconW.USER32 ref: 00BF0592
                • Part of subcall function 00BF04E0: ImageList_ReplaceIcon.COMCTL32(017CE5E8,000000FF,00000000), ref: 00BF05A2
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 236fdb1cffae60103c029c8481e742f29df1b1fe2f5e45bdde8a17ff1a20ea60
              • Instruction ID: ba0c3ae9f21e6b9520b366da037acc2185b3850bf05ece116d6f43902426af07
              • Opcode Fuzzy Hash: 236fdb1cffae60103c029c8481e742f29df1b1fe2f5e45bdde8a17ff1a20ea60
              • Instruction Fuzzy Hash: 772123B1D15318ABD720DFAAEC45B9E7BB5BB4C700F10415AF608A7290E7B49550CF98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEA9D0, Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc
              • String ID: Default
              • API String ID: 1579825452-753088835
              • Opcode ID: 8d6e787babdeeff6ba0d0e216b4d6416ce086fd0e872c0556b9a5e649bcd3a01
              • Instruction ID: 37b5ea1df27f9c9c4becceae5c74b03d6e199215426907b811ff04f7fb33019b
              • Opcode Fuzzy Hash: 8d6e787babdeeff6ba0d0e216b4d6416ce086fd0e872c0556b9a5e649bcd3a01
              • Instruction Fuzzy Hash: 01726D70604381DFC714DF2AC8C1A2AB7E9EF88310F2889A9E9968B351D735ED45DB53
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEFE90, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock_fseek_memmove_strcat
              • String ID: AU3!$EA06
              • API String ID: 1268643489-2658333250
              • Opcode ID: 1978a6e8fdb8ff5120cedac086402c050c436858a0a3882a956c023fe243e077
              • Instruction ID: e6acdc752323fa9103950ab17ad42ec0a363dc2036266adad8003bb91d185fa5
              • Opcode Fuzzy Hash: 1978a6e8fdb8ff5120cedac086402c050c436858a0a3882a956c023fe243e077
              • Instruction Fuzzy Hash: ED413E7290518D5BDB11CBA8C891FFD3BE4EB0A300F6404F9F695C7142E7709A85CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE1340, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00BE1376
              • KillTimer.USER32(?,00000001), ref: 00BE13F9
                • Part of subcall function 00BE1240: Shell_NotifyIconW.SHELL32 ref: 00BE129B
              • PostQuitMessage.USER32(00000000), ref: 00BE140B
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow
              • String ID: TaskbarCreated
              • API String ID: 3067442764-2362178303
              • Opcode ID: 0ac6296b9510d01bc5dd532eacd9679c88088815dccb54f6e2795a9780683a36
              • Instruction ID: ffafcc16bd3922aba5caae59143b1da1ff106c26b1e74042ac72d0863f08787d
              • Opcode Fuzzy Hash: 0ac6296b9510d01bc5dd532eacd9679c88088815dccb54f6e2795a9780683a36
              • Instruction Fuzzy Hash: 01411A72608389ABDB20DB5EDCC6FAD73E9F744310F604AA6F905879D1C7B09C40879A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C135B2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C13229: _wcsncpy.LIBCMT ref: 00C13241
              • _wcslen.LIBCMT ref: 00C135D7
              • GetFileAttributesW.KERNEL32(?), ref: 00C13601
              • GetLastError.KERNEL32 ref: 00C13610
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C13624
              • _wcsrchr.LIBCMT ref: 00C1364B
                • Part of subcall function 00C135B2: CreateDirectoryW.KERNEL32(?,00000000), ref: 00C1368C
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
              • String ID: \
              • API String ID: 321622961-2967466578
              • Opcode ID: 332f22a56939f093988b2ced8d88bbd28d1159bedcf877b881849409e1e3281b
              • Instruction ID: ad90ce03d951d1b854ecd42fe4e427b9020e939b7ebc607ea325216ebdf0b49b
              • Opcode Fuzzy Hash: 332f22a56939f093988b2ced8d88bbd28d1159bedcf877b881849409e1e3281b
              • Instruction Fuzzy Hash: E421F975941318AADF20AB74AC06BEA739CEF03714F004AD5FD2897141EA719FC89AA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C47377, Relevance: 12.3, APIs: 8, Instructions: 267COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove$_malloc
              • String ID:
              • API String ID: 1938898002-0
              • Opcode ID: a10198c5ad6de5bc9d3b88872ab7add69ea62b26a0da27a258af81c6084987bf
              • Instruction ID: 04d36daf8201748d03e509dd16243a7ac66443a29592885323c539a50f0f6135
              • Opcode Fuzzy Hash: a10198c5ad6de5bc9d3b88872ab7add69ea62b26a0da27a258af81c6084987bf
              • Instruction Fuzzy Hash: BD81B4726141595BCB01FFA8DC42EFF73A8FF84314F050AA5FE14A7282DB35AA1587A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEE700, Relevance: 10.7, APIs: 7, Instructions: 157COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00BEE72A
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
              • GetCurrentProcess.KERNEL32(?), ref: 00BEE7D4
              • GetNativeSystemInfo.KERNEL32(?), ref: 00BEE832
              • FreeLibrary.KERNEL32(?), ref: 00BEE842
              • FreeLibrary.KERNEL32(?), ref: 00BEE854
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
              • String ID:
              • API String ID: 3363477735-0
              • Opcode ID: 5e2ddd34e09092bca31ee50802186dc7f8cb48c8f966b7622d0ff7672540cea3
              • Instruction ID: b62d59300509707640f0ffc0194017cde7f03319e8deb1611870d84c45dcb6b2
              • Opcode Fuzzy Hash: 5e2ddd34e09092bca31ee50802186dc7f8cb48c8f966b7622d0ff7672540cea3
              • Instruction Fuzzy Hash: 6961AF70D0868AEACB10DFA5C88869CBFF4BF09304F14469AD45493B41C375FA98CF96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF3B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcsncpy$DesktopFolderFromListMallocPath
              • String ID: C:\Users\user\68821130\mofcxpne.aan
              • API String ID: 3170942423-2769524648
              • Opcode ID: 53b597f470d0d25f865fa2cff181d38323b52362619a7be17751cdc38d4537f6
              • Instruction ID: 63dcdffc052744a42ff1d2c9f88a32d8ea361daed3028da52450beaa02aea3d9
              • Opcode Fuzzy Hash: 53b597f470d0d25f865fa2cff181d38323b52362619a7be17751cdc38d4537f6
              • Instruction Fuzzy Hash: F2216075A01619ABCB14EBA4DC84DEFB37DEF88700F108598F90997250EB30EE45DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE1490, Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1E00: _wcsncpy.LIBCMT ref: 00BE1ED2
                • Part of subcall function 00BE1E00: _wcscpy.LIBCMT ref: 00BE1EF1
                • Part of subcall function 00BE1E00: Shell_NotifyIconW.SHELL32 ref: 00BE1F03
              • KillTimer.USER32(?,?,?,?,?), ref: 00BE1513
              • SetTimer.USER32 ref: 00BE1522
              • Shell_NotifyIconW.SHELL32 ref: 00C07BC8
              • Shell_NotifyIconW.SHELL32 ref: 00C07C1C
              • Shell_NotifyIconW.SHELL32 ref: 00C07C67
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
              • String ID:
              • API String ID: 3300667738-0
              • Opcode ID: 23b943d56173ac9204d7863a5e4c4f743cb88e8fea2da4ff283592360ea9e4aa
              • Instruction ID: d0327557f9a2a2e5684e32c217f745f2e08606d7b5329b5e70a2c8eb0a25720c
              • Opcode Fuzzy Hash: 23b943d56173ac9204d7863a5e4c4f743cb88e8fea2da4ff283592360ea9e4aa
              • Instruction Fuzzy Hash: 1A316E70A08A49AFEB2ACB25CC95BEAFBFDBF46304F1041C5E19D56140C7706E95CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEE6C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,00BEE6A1), ref: 00BEE6DD
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,00BEE6A1,00000000,?,?,?,00BEE6A1), ref: 00C07117
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,00BEE6A1,?,00000000,?,?,?,?,00BEE6A1), ref: 00C0715E
              • RegCloseKey.ADVAPI32(?,?,?,?,00BEE6A1), ref: 00C0718F
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID: Include$Software\AutoIt v3\AutoIt
              • API String ID: 1586453840-614718249
              • Opcode ID: 9906edc5d5c94ff4f4ef80b0a9ea3d2129b52554311ebabcc05f4fb815a2fac1
              • Instruction ID: c7822ede9febdc3304e950947d1c26781e0609430ba576516ffa34c44aa5ceeb
              • Opcode Fuzzy Hash: 9906edc5d5c94ff4f4ef80b0a9ea3d2129b52554311ebabcc05f4fb815a2fac1
              • Instruction Fuzzy Hash: 23219372B80208BBDB24DBA5DC46FEE77BCEB54700F100659F606E72C0EAB1AA01D754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF0350, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32 ref: 00BF0385
              • CreateWindowExW.USER32 ref: 00BF03AE
              • ShowWindow.USER32(?,00000000), ref: 00BF03C4
              • ShowWindow.USER32(?,00000000), ref: 00BF03CE
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 955e797548bb20847af4d1491562b7b5459fa207ce1aed884406da3f12281dd5
              • Instruction ID: 0dd99a99d7e37f4c0091c72a7618b8c7a0fa5c5520bac2b7aff9a39dd2c9f619
              • Opcode Fuzzy Hash: 955e797548bb20847af4d1491562b7b5459fa207ce1aed884406da3f12281dd5
              • Instruction Fuzzy Hash: 98F0B771BD5318BAF7749B64EC43F5A3658A708F51F304526B708BB1E0D5E079808BD9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C37760, Relevance: 9.2, APIs: 6, Instructions: 217COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc_wcslen$_strcat_wcscpy
              • String ID:
              • API String ID: 1612042205-0
              • Opcode ID: 13590c213cf1d1171041eb57d3338a6d77bac7878208b9ac2f0c624dff18aefb
              • Instruction ID: bb3cbeea8ecfcc24aa9f0fc1be774dc89be3ad0af16abafc255f23dc085cb7cb
              • Opcode Fuzzy Hash: 13590c213cf1d1171041eb57d3338a6d77bac7878208b9ac2f0c624dff18aefb
              • Instruction Fuzzy Hash: C3912AB4614209EFCB10DF69C4D19A9BBB5FF49300B50CA99EC4A8B356DB30EA55CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12FD3, Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,00C890E8,14000000,00C0E1BD), ref: 00C12FDD
              • LockServiceDatabase.ADVAPI32(00000000), ref: 00C12FEA
              • UnlockServiceDatabase.ADVAPI32(00000000), ref: 00C12FF5
              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C12FFE
              • GetLastError.KERNEL32 ref: 00C13009
              • CloseServiceHandle.ADVAPI32(00000000), ref: 00C13019
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
              • String ID:
              • API String ID: 1690418490-0
              • Opcode ID: 0a4bb9e6a3df4ad79bdba4cee83b86308283c17cc2ab3cc9f0d62a5f4d7897ce
              • Instruction ID: 24155e444c8e36e7c51f1188abd3c3aa9eb141a5fd0c0d52932531bceae7218a
              • Opcode Fuzzy Hash: 0a4bb9e6a3df4ad79bdba4cee83b86308283c17cc2ab3cc9f0d62a5f4d7897ce
              • Instruction Fuzzy Hash: 8AE09231687A207BD6311B256C1DBCF3B9CAB2F752F040013F211E2160CB99CA49EBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF06E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNEL32(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 00BF06F7
              • RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 00BF071E
              • RegCloseKey.KERNEL32(?), ref: 00BF0745
              • RegCloseKey.ADVAPI32(?), ref: 00BF0759
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Close$OpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 1607946009-824357125
              • Opcode ID: 2756f729144b7343ab8a32fe4c141cf307c198df460c40b3b79d01ec36f4d6f5
              • Instruction ID: 944bb9596d9260119003a23c5a7731654db9ae09d93cfd8858c67ea901e4dada
              • Opcode Fuzzy Hash: 2756f729144b7343ab8a32fe4c141cf307c198df460c40b3b79d01ec36f4d6f5
              • Instruction Fuzzy Hash: FC116A76640108BF8B10DFA9EC44AEFB7BCEF58300B10458AF908C3210E6719A11CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEFEA7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock_fseek_memmove_strcat
              • String ID: AU3!
              • API String ID: 1268643489-3499719025
              • Opcode ID: 4e47bfb69d5aa7b4ff7122b9241128d2518924e615802b668ba48fa7eb3c7548
              • Instruction ID: f0a558fdc4ff2e0fb34a58e3ce6dbb6353cfb3a23fb96441f8f09cc5ef399362
              • Opcode Fuzzy Hash: 4e47bfb69d5aa7b4ff7122b9241128d2518924e615802b668ba48fa7eb3c7548
              • Instruction Fuzzy Hash: DA11E672D042885BDB11CB6888C1BFD7BA5BB49700F5845E8FA55DB282D770A648CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF490, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BEFE20: _wcslen.LIBCMT ref: 00BEFE35
                • Part of subcall function 00BEFE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00C343ED,?,00000000,?,?), ref: 00BEFE4E
                • Part of subcall function 00BEFE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00BEFE77
              • _strcat.LIBCMT ref: 00BEF4B6
                • Part of subcall function 00BEF540: _strlen.LIBCMT ref: 00BEF548
                • Part of subcall function 00BEF540: _sprintf.LIBCMT ref: 00BEF69E
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
              • String ID: C:\Users\user\68821130\mofcxpne.aan$?T
              • API String ID: 3199840319-809645482
              • Opcode ID: 9daafcdff3c8e0cd9131d6224dc9c0a453ae0281a75f8a87abd4cdbb8bdb6995
              • Instruction ID: 6e3763864edad30bb136256b1df8a85454190add8735464e9aea42d972631390
              • Opcode Fuzzy Hash: 9daafcdff3c8e0cd9131d6224dc9c0a453ae0281a75f8a87abd4cdbb8bdb6995
              • Instruction Fuzzy Hash: E721FCB1A042455BD714EF749C8297FF6D8AF55300F108A7AF655C32C2EB34EA548792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BFF4A4, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32(00000000,00BF6433), ref: 00BFF4A7
              • __malloc_crt.LIBCMT ref: 00BFF4D6
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFF4E3
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnvironmentStrings$Free__malloc_crt
              • String ID:
              • API String ID: 237123855-0
              • Opcode ID: cc6d0c9640d0ecf141c29fd3fb589190df93444f7207cbb32577edede80355a5
              • Instruction ID: 70024cf97c450fa4bcf30b211cfc45a87e3bce1a96668c93e7f07fc66d5a7769
              • Opcode Fuzzy Hash: cc6d0c9640d0ecf141c29fd3fb589190df93444f7207cbb32577edede80355a5
              • Instruction Fuzzy Hash: 59F0273750051A5ACF317B34BC459BB27E9DED13A131A80F6FB02C3351F6248E8982A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF14F7, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BF34DB: __FF_MSGBANNER.LIBCMT ref: 00BF34F4
                • Part of subcall function 00BF34DB: __NMSG_WRITE.LIBCMT ref: 00BF34FB
                • Part of subcall function 00BF34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00BF6A35,?,00000001,?,?,00BF8179,00000018,00C6D180,0000000C,00BF8209), ref: 00BF3520
              • std::exception::exception.LIBCMT ref: 00BF1546
              • std::exception::exception.LIBCMT ref: 00BF1560
              • __CxxThrowException@8.LIBCMT ref: 00BF1571
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
              • String ID:
              • API String ID: 615853336-0
              • Opcode ID: 4bf6eedba8a07cc950ac2f1957b4f788606a6a0d852886e2a4baa5a8929ba7c6
              • Instruction ID: 244b643550caf3eb6cfe4b202d155ba9cf5e729ab74f2967a6001d2e83a4c6ef
              • Opcode Fuzzy Hash: 4bf6eedba8a07cc950ac2f1957b4f788606a6a0d852886e2a4baa5a8929ba7c6
              • Instruction Fuzzy Hash: 10F0F47150050DABDF20EBA8DC42A7E3AE9EB80700F5008E9F61597591CBB1CB4C8B41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE1D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • _memmove.LIBCMT ref: 00BE1D57
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
              • String ID: @EXITCODE
              • API String ID: 2734553683-3436989551
              • Opcode ID: 2e4067a483fc2459a1b3f0e0f0c393d559d3f47989546ec9ecea7a1d84fb9087
              • Instruction ID: 6c4d7606f332e039802f7297bc42661956e051b88119c1a0886dd5782264379b
              • Opcode Fuzzy Hash: 2e4067a483fc2459a1b3f0e0f0c393d559d3f47989546ec9ecea7a1d84fb9087
              • Instruction Fuzzy Hash: 07F0A9F2A002429BC350DF78CC42B3766D49B84300F14CC7CA19BC7781FA79E4428B20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C55031, Relevance: 4.9, APIs: 3, Instructions: 390COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e41bc4c74aca450927ccadd6f9b73871703189c7cdc13aa95bda7a47ac12d956
              • Instruction ID: 3273bf74c05d01bd359742258e556899e4c7fe0194bd7a8face305a234a0435a
              • Opcode Fuzzy Hash: e41bc4c74aca450927ccadd6f9b73871703189c7cdc13aa95bda7a47ac12d956
              • Instruction Fuzzy Hash: 33F166B56083019FC710DF28C880B6ABBE4FF88314F14895DF9998B352D775E989CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C47629, Relevance: 4.8, APIs: 3, Instructions: 337COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll
              • String ID:
              • API String ID: 3832890014-0
              • Opcode ID: 24530c1cea236089578dbb5098c74326e0dcb395a6d2fd62f7788abef785acf4
              • Instruction ID: bd13245f0b0fd7e833ecd19075eef71194532234eec810148efdf554735682a7
              • Opcode Fuzzy Hash: 24530c1cea236089578dbb5098c74326e0dcb395a6d2fd62f7788abef785acf4
              • Instruction Fuzzy Hash: 82A10BB220420A9FD710EF69E885AABB7E4FF85311F10866EFC94D7241D7329925CBD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C0A943, Relevance: 4.7, APIs: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • VariantInit.OLEAUT32 ref: 00C0A95F
              • VariantCopy.OLEAUT32(?,?), ref: 00C0A969
              • VariantClear.OLEAUT32(00000000), ref: 00C0A97A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$ClearCopyInit_malloc
              • String ID:
              • API String ID: 2981388473-0
              • Opcode ID: 09f6716bdae951d8315f9b1eef4c8280bcb715c2676fcfbfbe8c40d3b9993f37
              • Instruction ID: deeabb6eb608cd0403b248fd0afac599d84b7e00c0b7eaf2153c70c0f703da3c
              • Opcode Fuzzy Hash: 09f6716bdae951d8315f9b1eef4c8280bcb715c2676fcfbfbe8c40d3b9993f37
              • Instruction Fuzzy Hash: 9B81AD70A043408FDB35DB29D8C5B2AB7E5EF86300F188959E8598B7A1D735ED84CB93
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C09B01, Relevance: 4.7, APIs: 3, Instructions: 201COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • _memmove.LIBCMT ref: 00BE9FE6
              • VariantInit.OLEAUT32 ref: 00C09B15
              • VariantCopy.OLEAUT32(?,?), ref: 00C09B23
              • VariantClear.OLEAUT32(00000000), ref: 00C09B34
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$ClearCopyInit_malloc_memmove
              • String ID:
              • API String ID: 441919481-0
              • Opcode ID: 5b6f9ea3a5527d159ec6c666d83b7ebed3c7fbd2c5cbe6a453aaadd074bc57d6
              • Instruction ID: c74a9586fdf69ad4f27350635c9ea016e3db725815f3383609f669944afe8c6d
              • Opcode Fuzzy Hash: 5b6f9ea3a5527d159ec6c666d83b7ebed3c7fbd2c5cbe6a453aaadd074bc57d6
              • Instruction Fuzzy Hash: 689105B46083519FD720CF69C480B2AB7E1FB89700F24896DE5A5C7391E771ED85CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF49DA, Relevance: 4.7, APIs: 3, Instructions: 160COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __filbuf__getptd_noexit__read_memcpy_s
              • String ID:
              • API String ID: 1794320848-0
              • Opcode ID: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
              • Instruction ID: 8cefe9f42d39499a1bbda93989cfe02524266c4a73c0b6f290424e80832377d5
              • Opcode Fuzzy Hash: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
              • Instruction Fuzzy Hash: FF51B531A0020DDBCB248FA988846BFB7F5EF40320F2486E9E635A7192D770DE58DB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3868, Relevance: 4.7, APIs: 3, Instructions: 154COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen
              • String ID:
              • API String ID: 176396367-0
              • Opcode ID: b5ab1d3cd8a3807fb463f1605a2e3270b0b4ca065874706632b6ebcddc31883b
              • Instruction ID: 6dd98fe8767e890d8f5d1c7e2596c4211f10b5a58f1e46e7cb0e8f667c907d28
              • Opcode Fuzzy Hash: b5ab1d3cd8a3807fb463f1605a2e3270b0b4ca065874706632b6ebcddc31883b
              • Instruction Fuzzy Hash: E651A4B1508381AAEB21AB6588457AB77E4EF81B00F048CADE9C657241EB71DB4DC7D3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1297C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • _strlen.LIBCMT ref: 00C12991
              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00C34515,00000000,00000000,?,?,?,00C34515,?,000000FF), ref: 00C129A6
              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00C34515,00000000,00000000,000000FF), ref: 00C129E5
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_strlen
              • String ID:
              • API String ID: 1433632580-0
              • Opcode ID: 659031b90b3b4c1dbb308717bec4ebf308412dcf5bb76279f31c2e625ad1a5be
              • Instruction ID: 5e47a99fdebe4eea00e4ec70b7464ac2942cf49a46a0a78d19792f4bc100c99c
              • Opcode Fuzzy Hash: 659031b90b3b4c1dbb308717bec4ebf308412dcf5bb76279f31c2e625ad1a5be
              • Instruction Fuzzy Hash: 4F01F23B3401043BEB105A6DAC86FEBB79CDBC6B70F050126FB1CDB2D0E9A1AD4052A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEFE20, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00BEFE35
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00C343ED,?,00000000,?,?), ref: 00BEFE4E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00BEFE77
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_wcslen
              • String ID:
              • API String ID: 2761822629-0
              • Opcode ID: 7905b907e5d312bf061fdc13233925cd3869c812add5894e63267cbbe5fa4279
              • Instruction ID: 7fa135c577df2ba26e79c94e97687b24c3966d83c41c1c79363321c0cf20c7b9
              • Opcode Fuzzy Hash: 7905b907e5d312bf061fdc13233925cd3869c812add5894e63267cbbe5fa4279
              • Instruction Fuzzy Hash: 3A01D672B4434876E23059BA6C06F7BB29CCBC6B20F2406B6FB18E71D0E6E1AC0041A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE9769, Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$DispatchPeekTranslate
              • String ID:
              • API String ID: 4217535847-0
              • Opcode ID: 08dd5d2f70b7aa8bc4b6ee5203842b3766c7f4a99d54c78c8b9fd39d7519a89b
              • Instruction ID: c77db1540ed477a8db3b47acde50d363e746a49684ada7f2990b79591547018c
              • Opcode Fuzzy Hash: 08dd5d2f70b7aa8bc4b6ee5203842b3766c7f4a99d54c78c8b9fd39d7519a89b
              • Instruction Fuzzy Hash: 56F05E712543419AE634DBA28D81B9B77E9AF94784F40085CF742825E0FBB0D448CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF180, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BEF490: _strcat.LIBCMT ref: 00BEF4B6
              • _free.LIBCMT ref: 00C09524
                • Part of subcall function 00BE35F0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00BE3681
                • Part of subcall function 00BE35F0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00BE3697
                • Part of subcall function 00BE35F0: __wsplitpath.LIBCMT ref: 00BE36C2
                • Part of subcall function 00BE35F0: _wcscpy.LIBCMT ref: 00BE36D7
                • Part of subcall function 00BE35F0: _wcscat.LIBCMT ref: 00BE36EC
                • Part of subcall function 00BE35F0: SetCurrentDirectoryW.KERNEL32(?), ref: 00BE36FC
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
              • String ID: C:\Users\user\68821130\mofcxpne.aan
              • API String ID: 3938964917-2769524648
              • Opcode ID: 94bdf9d24277b376d7505dd0f483a3c60f0d1699fbfcd1b96f65aed7dff95f40
              • Instruction ID: 82e7496728975285f18693d8107edeab4fc5f9500b1bc08c5a68a3121db69919
              • Opcode Fuzzy Hash: 94bdf9d24277b376d7505dd0f483a3c60f0d1699fbfcd1b96f65aed7dff95f40
              • Instruction Fuzzy Hash: D091C471900219AFCF04EFA4C8819EE77B8FF49310F108569F925AB392D774EA05CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF1D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 00C0959F
                • Part of subcall function 00BEF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\68821130\mofcxpne.aan,00BEF1F5,C:\Users\user\68821130\mofcxpne.aan,00C890E8,C:\Users\user\68821130\mofcxpne.aan,?,00BEF1F5,?,?,00000001), ref: 00BEF23C
                • Part of subcall function 00BEF3B0: SHGetMalloc.SHELL32(00BEF1FC), ref: 00BEF3BD
                • Part of subcall function 00BEF3B0: SHGetDesktopFolder.SHELL32(?,00C890E8), ref: 00BEF3D2
                • Part of subcall function 00BEF3B0: _wcsncpy.LIBCMT ref: 00BEF3ED
                • Part of subcall function 00BEF3B0: SHGetPathFromIDListW.SHELL32 ref: 00BEF427
                • Part of subcall function 00BEF3B0: _wcsncpy.LIBCMT ref: 00BEF440
                • Part of subcall function 00BEF290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00BEF2AB
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
              • String ID: X
              • API String ID: 85490731-3081909835
              • Opcode ID: d34860e8fe9924ff6c43b2a9ea690662872f0850a8d5e62c26c9f64b3c3a7d59
              • Instruction ID: c55f692504a672eac60c96874817b4b3f2f08d3db6467dc7c011b2941a4ba1d9
              • Opcode Fuzzy Hash: d34860e8fe9924ff6c43b2a9ea690662872f0850a8d5e62c26c9f64b3c3a7d59
              • Instruction Fuzzy Hash: 0111A9F0A0028C9BDB10DFDADC457EEBBF9AF85304F148159E514AB281D7F45449CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE2AB0, Relevance: 3.5, APIs: 2, Instructions: 463COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc
              • String ID:
              • API String ID: 2388904642-0
              • Opcode ID: 097f8a2b68c41b30e60ce85b07f6d98eb428a87b3e298d840cce7eb35307e083
              • Instruction ID: af589e83a3938c3e5f507a709dd68a616723f15f09924f7ee8e0591669b71913
              • Opcode Fuzzy Hash: 097f8a2b68c41b30e60ce85b07f6d98eb428a87b3e298d840cce7eb35307e083
              • Instruction Fuzzy Hash: 4EF1A275D042899BCF14EF65C8819EEB3F9FF04300F2085A5E915AB261DB35EE42CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEB1F0, Relevance: 3.3, APIs: 2, Instructions: 258COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: d2977e3b06c335ad98a85a703064f766838e0be7e174af38a9b4b82f81cb0543
              • Instruction ID: 6d21251fe4d8058240bf9b1ec7f399dacd97c44aa482ed50886e70dbc1896a96
              • Opcode Fuzzy Hash: d2977e3b06c335ad98a85a703064f766838e0be7e174af38a9b4b82f81cb0543
              • Instruction Fuzzy Hash: 2691A070A00244DBCB10DFA9D8C6E6EB7F5EF09300F24C999E916AB295DB31ED45CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEC440, Relevance: 3.2, APIs: 2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
              • Instruction ID: a45c0fb5871479eef20752becf28468c807c1630cbb0ff5a0cee240c2ba9e918
              • Opcode Fuzzy Hash: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
              • Instruction Fuzzy Hash: 8D519171A00285ABDB24DF65C8C1FBAB7F8EF44300F048499F9199B292E774EE85C790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C46C11, Relevance: 3.1, APIs: 2, Instructions: 130COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 31ca337afe5c67d9708f0cfcf30d710755cae97e74e22c1636388b6fc148f4a1
              • Instruction ID: 98d6f4384339645f8f9946ea525f5b4a6c1e8ee91b039bd14e379d6c72a42709
              • Opcode Fuzzy Hash: 31ca337afe5c67d9708f0cfcf30d710755cae97e74e22c1636388b6fc148f4a1
              • Instruction Fuzzy Hash: 9C41B6B5D00144EBCB10EF58D881BAE7BB4FF86300F148494F9595B345D635A946CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BED8B0, Relevance: 3.1, APIs: 2, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32 ref: 00BED979
              • FreeLibrary.KERNEL32(?), ref: 00BED98E
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeInfoLibraryParametersSystem
              • String ID:
              • API String ID: 3403648963-0
              • Opcode ID: 7a3d5bbe5bf0a1610f31e9104b9980ebc7a61e6035192e9c597c02b7dd5aef47
              • Instruction ID: 77d5443644c96316ec1b7e560fb43924f18e59f97d993c2794f38fec383be229
              • Opcode Fuzzy Hash: 7a3d5bbe5bf0a1610f31e9104b9980ebc7a61e6035192e9c597c02b7dd5aef47
              • Instruction Fuzzy Hash: 6E217CB19083459FC300EF1ADC85B1EBBE4FB88354F444A6DF948A3262D771DA49CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3C80, Relevance: 3.1, APIs: 2, Instructions: 56COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc_wcscpy_wcslen
              • String ID:
              • API String ID: 245337311-0
              • Opcode ID: 102fefb9d9849964aefb8f3e9d1675938a27bddc5573688d510907abfdfe27b6
              • Instruction ID: 40956c1c957a96e44371a0e6580d1715ce8934305fdd1359225c583a1c85dc13
              • Opcode Fuzzy Hash: 102fefb9d9849964aefb8f3e9d1675938a27bddc5573688d510907abfdfe27b6
              • Instruction Fuzzy Hash: C11176B05007449FD324DB69C442E22B7E4EB84310F14C8AEE95A8BB91D735E845CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3E400, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BEF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\68821130\mofcxpne.aan,00BEF1F5,C:\Users\user\68821130\mofcxpne.aan,00C890E8,C:\Users\user\68821130\mofcxpne.aan,?,00BEF1F5,?,?,00000001), ref: 00BEF23C
              • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,?), ref: 00C3E454
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C3E467
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: PrivateProfileStringWrite$FullNamePath
              • String ID:
              • API String ID: 3876400906-0
              • Opcode ID: 28b5c158939279ca21b2ca9193331973b657365c49e62ddd9ce87aa76151b104
              • Instruction ID: 2a779969fc63d2f51eabb86008d9cde31125edae102a9650058a760ffcf1b90f
              • Opcode Fuzzy Hash: 28b5c158939279ca21b2ca9193331973b657365c49e62ddd9ce87aa76151b104
              • Instruction Fuzzy Hash: 65014072A102146BD710EB65DC45F6AB7ECEB44720F10C59AFC54AB251DA70FD058BE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF07A0, Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00BEE094,?,00000001,?,00BE3653,?), ref: 00BF07CA
              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00BEE094,?,00000001,?,00BE3653,?), ref: 00C06296
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: f9837dfcf5f217bc11d41236dc47718fea9cf2b50630b4286e9d28430570919b
              • Instruction ID: ef16bdfc66daf802bccb912a04d7543795a1dba978401fc38e3779069b9cc830
              • Opcode Fuzzy Hash: f9837dfcf5f217bc11d41236dc47718fea9cf2b50630b4286e9d28430570919b
              • Instruction Fuzzy Hash: D7013730395704BAF2353A289C4BF656690AB45F24F204798B7E5BF1E2D2F47C86CB48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE16A0, Relevance: 3.0, APIs: 2, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00BE16E5
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
              • _wcscat.LIBCMT ref: 00C08BC8
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FullNamePath_memmove_wcscat_wcslen
              • String ID:
              • API String ID: 189345764-0
              • Opcode ID: 5c811dd850aafff20f804c4f68555d74e42db3b8a54cb757e2f752f23802ec0f
              • Instruction ID: 29853c8c728bfb5035844d84aeb2b6dc3d427b55ede65bbe1a152ede9df73f3c
              • Opcode Fuzzy Hash: 5c811dd850aafff20f804c4f68555d74e42db3b8a54cb757e2f752f23802ec0f
              • Instruction Fuzzy Hash: F40161B464024C9BCB10FBA5CC86ADE73B8DF14704F5049D5A94597241EFB49E888BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF4966, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF7E9A: __getptd_noexit.LIBCMT ref: 00BF7E9A
              • __lock_file.LIBCMT ref: 00BF49AD
                • Part of subcall function 00BF5391: __lock.LIBCMT ref: 00BF53B6
              • __fclose_nolock.LIBCMT ref: 00BF49B8
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 3295733214d0cfdd2cd46673828bdc20eb29ee284cac695069c09b1116fc234a
              • Instruction ID: ea00996ff1318ab1d3e6efb3a37913b8220ed4c824e12d324f97eaa1eb576cf9
              • Opcode Fuzzy Hash: 3295733214d0cfdd2cd46673828bdc20eb29ee284cac695069c09b1116fc234a
              • Instruction Fuzzy Hash: 4EF09631A0470D9ED720AB74884277F77E0AF00330F20C6D9A6759B1D2CBB8490D9B56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BED5C0, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00BED5DC
                • Part of subcall function 00BE9430: PeekMessageW.USER32 ref: 00BE94B6
              • Sleep.KERNEL32(00000000), ref: 00C0E125
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessagePeekSleepTimetime
              • String ID:
              • API String ID: 1792118007-0
              • Opcode ID: 709f62d4d932eeee8c869b2c409ac32a1b55624fb51f6256962f44c977498c3b
              • Instruction ID: 1997db7fb40efa7a916fa8ed0d20b903f88b237ec0a5305e6a0efbd4c63fa64a
              • Opcode Fuzzy Hash: 709f62d4d932eeee8c869b2c409ac32a1b55624fb51f6256962f44c977498c3b
              • Instruction Fuzzy Hash: A4F08C712406029FC364EF6AD999B6ABBF8EF45351F004179E92EC7391DBB0B801CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3D20, Relevance: 2.6, APIs: 2, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00BE378C,?,?,?,00000010), ref: 00BE3D38
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00BE3D71
                • Part of subcall function 00BE3DA0: _memmove.LIBCMT ref: 00BE3DD7
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharMultiWide$_malloc_memmove
              • String ID:
              • API String ID: 961785871-0
              • Opcode ID: e421754cc8f287ac30b88c2589dce8b17b52a987df1bc6f9c75efa010152bea0
              • Instruction ID: 96e0b1ae40bbbc38671c8bec50246c826dfacb3fff32eb14a53d522fbf7e6387
              • Opcode Fuzzy Hash: e421754cc8f287ac30b88c2589dce8b17b52a987df1bc6f9c75efa010152bea0
              • Instruction Fuzzy Hash: 2601D172344204BFE714AB69EC8AFAB77DCDB85B10F004065FA09DB2D0DAA1ED008661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4F94D, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • _memmove.LIBCMT ref: 00C4FAAB
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc_memmove
              • String ID:
              • API String ID: 1183979061-0
              • Opcode ID: 6cdf6cebfc3cfd332cb627c5bb47d23299b8289189da6db81fe80d0a3bd25135
              • Instruction ID: 48b0be6cd286aab3c5923e10dbcbd51670d1b5b13fd319ae21167316edd83d86
              • Opcode Fuzzy Hash: 6cdf6cebfc3cfd332cb627c5bb47d23299b8289189da6db81fe80d0a3bd25135
              • Instruction Fuzzy Hash: D751C5752002419BC710EF68DD82F6AB3E9BF85700F1449ADF9559B382D735ED06C7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEB650, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4dcd2034f64c860952791852245324d6e8f0e71a15b4357893c5d9bf7ed1d0d9
              • Instruction ID: f85397a7559a96d42519abaa1237372250cc4b62ce86993d8f3b4c414a11354e
              • Opcode Fuzzy Hash: 4dcd2034f64c860952791852245324d6e8f0e71a15b4357893c5d9bf7ed1d0d9
              • Instruction Fuzzy Hash: 1431A774600285EFCB20AF6AD8C2E27F3E8EF51710B248D99F50587611DB35EC58DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4B5B4, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: 8f8fefd006f58cdac8c0a73aca9363d2d8a1eabb922750c532caf08e103a6296
              • Instruction ID: a58707811c4c8206088869d3758e615e685ab3b6f1bec44defa1d52108d67495
              • Opcode Fuzzy Hash: 8f8fefd006f58cdac8c0a73aca9363d2d8a1eabb922750c532caf08e103a6296
              • Instruction Fuzzy Hash: 6D4147B8900646EBCB10EF1AC48566AFBF0FF48300F20885DE5995B352DB75A994DBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3130, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 56cec41050476119bc88c76d4ce1ed57992524fb62b3eeec01b0edc831ace403
              • Instruction ID: 7adf63a57f5b253b6f5a66ee4ea17c465ae5757e16ac9aedbca0d2afece9642e
              • Opcode Fuzzy Hash: 56cec41050476119bc88c76d4ce1ed57992524fb62b3eeec01b0edc831ace403
              • Instruction Fuzzy Hash: 79315071E04208EBDF148F96D9867AEBBF4FF40701F20C5AAD855E6290E7399A90D741
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3C71D, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wsplitpath
              • String ID:
              • API String ID: 3929583758-0
              • Opcode ID: 2aa78ccf235c2293a20f38b32cfcac74dc41251c43fa9aa8cfca58fae021ab07
              • Instruction ID: e78f81434e4481298875d1bd799061fb4fb920b810c465cc37b9a99fbdc4d0db
              • Opcode Fuzzy Hash: 2aa78ccf235c2293a20f38b32cfcac74dc41251c43fa9aa8cfca58fae021ab07
              • Instruction Fuzzy Hash: 1A31C8725103405BDB10EF25CC81B5BB3E4AF85314F04899CFC596B282DB75EE49CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE29B0, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 8bafc727a68d71333929a6838610dd023c556dfda32e45827caab048d5e7221e
              • Instruction ID: 742dc60756186b652047469ddbf2f651620e0240a2915a25db3e3981b072aca7
              • Opcode Fuzzy Hash: 8bafc727a68d71333929a6838610dd023c556dfda32e45827caab048d5e7221e
              • Instruction Fuzzy Hash: FF318BB9600611EFC724DF29C581A21F7E4FF48310B14D9B9D99ACB796E330E852CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE31B0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 78ec7830887a7a205efeec04a1ad18e0bc8043304b6e5968e1f684c1a32b341e
              • Instruction ID: 8de34bea887695c9d8d553336f737586a45f6ac51d052cf586ae07a62f7d0409
              • Opcode Fuzzy Hash: 78ec7830887a7a205efeec04a1ad18e0bc8043304b6e5968e1f684c1a32b341e
              • Instruction Fuzzy Hash: 68319570A04204DFC724EF69C48196AB3F5FF58704B20C59DE5968B392EB32EE51CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEE1B0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,?,00002000,00000000,?,?,00002000), ref: 00BEE248
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 712b820e542f997c51057c870eb88afed303a183cea5284f82cb9e07f4499035
              • Instruction ID: e094f41784d575491ea2ff10d55eb9b4b423f64450c4b8d54cf3b4a1c2e26524
              • Opcode Fuzzy Hash: 712b820e542f997c51057c870eb88afed303a183cea5284f82cb9e07f4499035
              • Instruction Fuzzy Hash: 85313C71A00B459FCB24CE7ED88495AB7FAFB88710B14CA6EE56A87700D730FD458B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF0C1C, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: a362dce17ab73f584f65806fbcd27afaa813f4051105ae3c7d16e2909eeb34d6
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 6B31C374A101099BCB18EF58C5D0A79F7E5FB49300B6487E5E60ACB262D631EDC5CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2C02F, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 6f541e596dc6f3bb9617cacd4b2ad81641b06a18cbafe29976186cb279ff4f1d
              • Instruction ID: 74cd78d00e99a7bb4a27fde3c08085c32d93a26a0930f4e3e9d8bbc07fe92bf6
              • Opcode Fuzzy Hash: 6f541e596dc6f3bb9617cacd4b2ad81641b06a18cbafe29976186cb279ff4f1d
              • Instruction Fuzzy Hash: 2C314C70A00618EBDF149F17EA856AE7BF4FF44751F20C829EC99CAA50E734E690DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE9190, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa76728fae3f710a3ead25514c5f01309668ce8d2af18b680fa898d2bbd93bc5
              • Instruction ID: 625dac96ce9a1c6534a4cb9951b37349645290680ab8048ddd8b3b2ffc622d72
              • Opcode Fuzzy Hash: fa76728fae3f710a3ead25514c5f01309668ce8d2af18b680fa898d2bbd93bc5
              • Instruction Fuzzy Hash: 771175B4500282EBC624DF2BDC8AE3973E4EF41700B244D8AE56597654DB39E898DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4F356, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 00C4F386
                • Part of subcall function 00C1198A: _memmove.LIBCMT ref: 00C119CA
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window_memmove
              • String ID:
              • API String ID: 517827167-0
              • Opcode ID: 21e6cd208c9fa5e0c73764e2d8f5b31e95a9f60cf5c8d02263856b14561f242d
              • Instruction ID: eef6c1d879b38283abc09a943b2258538a86d6398c754caf1e743b637c5b7d18
              • Opcode Fuzzy Hash: 21e6cd208c9fa5e0c73764e2d8f5b31e95a9f60cf5c8d02263856b14561f242d
              • Instruction Fuzzy Hash: 5311A5733045697AD600AB65EC91EFAF75CFB81360F008127F95896102CB79AE5697B0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3C98D, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • GetShortPathNameW.KERNEL32 ref: 00C3CA1A
                • Part of subcall function 00BEF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\68821130\mofcxpne.aan,00BEF1F5,C:\Users\user\68821130\mofcxpne.aan,00C890E8,C:\Users\user\68821130\mofcxpne.aan,?,00BEF1F5,?,?,00000001), ref: 00BEF23C
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: NamePath$FullShort
              • String ID:
              • API String ID: 4229621559-0
              • Opcode ID: 04b034a5258ba9082ada4befc1409136b35dc69ea3b42f80cf6853fa1bed4ca9
              • Instruction ID: bdce84be67c47f647272a029d7a721fce3c16bdf449a7e8679b78883e0c358a5
              • Opcode Fuzzy Hash: 04b034a5258ba9082ada4befc1409136b35dc69ea3b42f80cf6853fa1bed4ca9
              • Instruction Fuzzy Hash: B3119475A102489BCB10EB65DCC5EAEB3E8FF44310F1086A9F925DB252DB30FD458B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3E492, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BEF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\68821130\mofcxpne.aan,00BEF1F5,C:\Users\user\68821130\mofcxpne.aan,00C890E8,C:\Users\user\68821130\mofcxpne.aan,?,00BEF1F5,?,?,00000001), ref: 00BEF23C
              • GetPrivateProfileStringW.KERNEL32 ref: 00C3E501
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FullNamePathPrivateProfileString_malloc
              • String ID:
              • API String ID: 3364953200-0
              • Opcode ID: 82c1bcfa640b21691962cb53938b086c679660a1d3d90d163fbf7f70f254666b
              • Instruction ID: d213a017fa9c7ed75e19f52f5c1468d6bd354d587d79312bbda55b2bc1952f59
              • Opcode Fuzzy Hash: 82c1bcfa640b21691962cb53938b086c679660a1d3d90d163fbf7f70f254666b
              • Instruction Fuzzy Hash: 6E0144759002086BDB10FB65DC85CEF77ACEF45320F0085A9F909AB352DA30ED499AA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BFF597, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000008,00BF12DC,00000000,?,00BF6A7F,?,00BF12DC,00000000,00000000,00000000,?,00BF793E,00000001,00000214,?,00BF12DC), ref: 00BFF5DA
                • Part of subcall function 00BF7E9A: __getptd_noexit.LIBCMT ref: 00BF7E9A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap__getptd_noexit
              • String ID:
              • API String ID: 328603210-0
              • Opcode ID: 707d9e97bd7f002ddff37cf94c65ba1e2b7c92a5af2914941c234615e14f3598
              • Instruction ID: cd72fc3c216130ddd24714b9be97aa55dfb756d03df7aa5ac64f1a4e8325e1b5
              • Opcode Fuzzy Hash: 707d9e97bd7f002ddff37cf94c65ba1e2b7c92a5af2914941c234615e14f3598
              • Instruction Fuzzy Hash: 53019E3620121AABEB249E25EC54B7A37D4EF91B60F1549B9EA15CB1A0DB708C44C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3B40, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNEL32(00000000,?,00010000,?,00000000,?,?), ref: 00BE3B92
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: e5401f86133a4355dca72d853d486ca19b868277108f4a0a7f33f515019f592a
              • Instruction ID: bfed4acd4c191ecda96310fce8ddb9daebf9a4333e4f766e0432fa6b9ace949f
              • Opcode Fuzzy Hash: e5401f86133a4355dca72d853d486ca19b868277108f4a0a7f33f515019f592a
              • Instruction Fuzzy Hash: 6E113A70600B419FD320CF26C894B27B7F9EB44B50F108A9DD59A87A50D770E945CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE3250, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: d786b5f6290fb32c46904a3f91a9de1e922609464fbf47ecf7a096c4129a7670
              • Instruction ID: 91c2b569e90318dc4b9893c7be1a51a4ba72e6332d45e8d61336494a1228fef9
              • Opcode Fuzzy Hash: d786b5f6290fb32c46904a3f91a9de1e922609464fbf47ecf7a096c4129a7670
              • Instruction Fuzzy Hash: 7E015E752006009FC324DF6DC986D37B3E4EF9874471088ADE59AC7752EB32E802CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2C141, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • _memmove.LIBCMT ref: 00C2C17E
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _malloc_memmove
              • String ID:
              • API String ID: 1183979061-0
              • Opcode ID: 1e55e8dc9c5265688e72b6c8ed3e81828a4174c04a3b9ba905e448dac4200a4f
              • Instruction ID: f0a5894c852884eee96dc044c3f06a1d6702f320e5e27ef182feaa43cca864c4
              • Opcode Fuzzy Hash: 1e55e8dc9c5265688e72b6c8ed3e81828a4174c04a3b9ba905e448dac4200a4f
              • Instruction Fuzzy Hash: B7017C34204650AFC325EF58D981DABB7E8EF9A740710885DF8DA87B03C635EC02DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF4B96, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __lock_file
              • String ID:
              • API String ID: 3031932315-0
              • Opcode ID: 7421fe8412a549c174146f7062c7b3867205bed3082ee6e9a201059643f6a97d
              • Instruction ID: 694370c2ad763abd231dce426c0b2f782c37b58bb40edd7d5cdd1101f567edf7
              • Opcode Fuzzy Hash: 7421fe8412a549c174146f7062c7b3867205bed3082ee6e9a201059643f6a97d
              • Instruction Fuzzy Hash: E6011A7180521DEBCF21AFA4C8429AF7BB1EF04760F1081D6FA24571A2D7318A6ADBD1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4FD26, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcscpy
              • String ID:
              • API String ID: 3048848545-0
              • Opcode ID: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
              • Instruction ID: d7bed770a5562c4b59980ca504275be74d561bd62deb0b90bcfe37465451019e
              • Opcode Fuzzy Hash: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
              • Instruction Fuzzy Hash: 5FF05C331143183596106F66AC42CEBB7DCFF92330700062BF61457281E622744683F0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C0A142, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
              • _memmove.LIBCMT ref: 00C0A17D
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
              • String ID:
              • API String ID: 620504543-0
              • Opcode ID: a563dd0e5f5e44ec91b2a7b2ff91b2dd85360f49928f8b6f70425b1d80d282b3
              • Instruction ID: 9eb1a341828e0f2d2e88d4b583cab369df11823a6d4e0d8a26ece53526204621
              • Opcode Fuzzy Hash: a563dd0e5f5e44ec91b2a7b2ff91b2dd85360f49928f8b6f70425b1d80d282b3
              • Instruction Fuzzy Hash: 7901B6B8600141DFD314DF5CC891E22B7E5BF9D304F2489A8E6898B392D732F915CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C0D326, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
              • _memmove.LIBCMT ref: 00C0D363
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
              • String ID:
              • API String ID: 620504543-0
              • Opcode ID: 3bf14e606abf088ba2139b15b7a7e0877b932dc3602118f35885493407cab9a6
              • Instruction ID: 0c141c294380297fea38d8d809191cf9f6d02fb4bb771f50304a313fffb90e0d
              • Opcode Fuzzy Hash: 3bf14e606abf088ba2139b15b7a7e0877b932dc3602118f35885493407cab9a6
              • Instruction Fuzzy Hash: A501E8B8600540CFDB00DF68C4E1F16B7F1AF8A304B14C5D4DA099B366D631E81ACBA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEECD0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • CharUpperBuffW.USER32(?,?), ref: 00BEED03
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: BuffCharUpper_malloc
              • String ID:
              • API String ID: 1573836695-0
              • Opcode ID: 0002f65bf065ee3bc7e322aa51913f5546e157820ad5dc7ea9276552a6e5dcab
              • Instruction ID: 065642df0eb66a7197da5727c5bb647347bca18f564a5387d8992dc20785a2c5
              • Opcode Fuzzy Hash: 0002f65bf065ee3bc7e322aa51913f5546e157820ad5dc7ea9276552a6e5dcab
              • Instruction Fuzzy Hash: D0F044746006208BCB20AF65E88072ABBE4EF08B10F08C5EAFD498F346C774D800CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C23C1D, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00C23C38
                • Part of subcall function 00C13D83: EnumProcesses.PSAPI(?,00000800,?,?,00C23C4D,?,?,?,00C88178), ref: 00C13DA0
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnumProcesses_wcslen
              • String ID:
              • API String ID: 3303492691-0
              • Opcode ID: 30341fda4f198ba91621ede2b74f234d07baf202037f16734e34ca4eb0f190ed
              • Instruction ID: 09ae2504d8476a24c95814fcfa2f0809f51f6f820cf72333f8f2311a518b6bab
              • Opcode Fuzzy Hash: 30341fda4f198ba91621ede2b74f234d07baf202037f16734e34ca4eb0f190ed
              • Instruction Fuzzy Hash: EFE0E5B39001987BD710654ABC81EDF775CDFC2228F040062F609A7111A231AF5553F1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C08748, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1546
                • Part of subcall function 00BF14F7: std::exception::exception.LIBCMT ref: 00BF1560
                • Part of subcall function 00BF14F7: __CxxThrowException@8.LIBCMT ref: 00BF1571
              • _memmove.LIBCMT ref: 00C0877C
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
              • String ID:
              • API String ID: 620504543-0
              • Opcode ID: fc5d55a1eaa8c1b6d494df43e7b6fe822fd9f4347701c8daea2cb550c08e6389
              • Instruction ID: df0de5e22d92d7d70f0bc1346818a94dfd60d7601399e77055de9d972a7638b4
              • Opcode Fuzzy Hash: fc5d55a1eaa8c1b6d494df43e7b6fe822fd9f4347701c8daea2cb550c08e6389
              • Instruction Fuzzy Hash: EA01B6B8600541DFD700DF58C4D1F217BE5BF8A304B2485D4E6098B3A6DB31E91ACB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BED9C0, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • FindCloseChangeNotification.KERNEL32(?,?,00C06F2F), ref: 00BED9DD
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 8beb33822a49dfac549b647a8a6277a10a32fa3ca314814794558a2f4ac44852
              • Instruction ID: 0424350cf964c21292774b35ccc62bec0d8e795ca0191d59c341191f6e9f125a
              • Opcode Fuzzy Hash: 8beb33822a49dfac549b647a8a6277a10a32fa3ca314814794558a2f4ac44852
              • Instruction Fuzzy Hash: 6BE0DEB5900B419A87318F1BE844416FBF8EFE46213608E5FD5A6C2A65D3B4A5898F60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEE270, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001,?,00002000), ref: 00BEE288
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 87e42f0cbd21fab7d8cfc0c7bed2f3a640a4397485e093e28b36f7a215a484e0
              • Instruction ID: 21be84644abf2da419b64058bb1e9838f0facd868af1d936d97107cf4983ae9c
              • Opcode Fuzzy Hash: 87e42f0cbd21fab7d8cfc0c7bed2f3a640a4397485e093e28b36f7a215a484e0
              • Instruction Fuzzy Hash: E4E01275604208BFC704DFA4DC45EAE7779E748201F008258FD01D7340D671AD5086A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1397D, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNEL32(?), ref: 00C13984
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 555eca30cfc4c9404d0192113d994c612dea57e821c4a413f6fed07ed135ea7e
              • Instruction ID: 6543ca14d6f9e12a161d3d8f9aa029f081fa55247ddef22a3a052e688fcbfa52
              • Opcode Fuzzy Hash: 555eca30cfc4c9404d0192113d994c612dea57e821c4a413f6fed07ed135ea7e
              • Instruction Fuzzy Hash: E5C08C3104074856CE140AECA84DAED3B8C494333CF442A40F97C875E1CAB1BED3A750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF48E2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
              • Instruction ID: a2a8cfd22564415084f655d721bf77a876993aa02f9e9ab738f7338d67a8d837
              • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
              • Instruction Fuzzy Hash: 83C0927244024C77CF112A82EC02F5A3F9ADBC0BA0F048060FB1C1A561AA73EAA596D9
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00C5C7D6, Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C5C89B
              • DefDlgProcW.USER32(?,0000004E,?,?), ref: 00C5C8B6
              • GetKeyState.USER32 ref: 00C5C8E7
              • GetKeyState.USER32 ref: 00C5C8F0
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C5C903
              • GetKeyState.USER32 ref: 00C5C90D
              • GetWindowLongW.USER32 ref: 00C5C921
              • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 00C5C94D
              • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 00C5C970
              • _wcsncpy.LIBCMT ref: 00C5C9E3
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C5CA14
              • SendMessageW.USER32 ref: 00C5CA39
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00C5CA99
              • SendMessageW.USER32(?,00001030,?,00C5EA24), ref: 00C5CB3E
              • ImageList_SetDragCursorImage.COMCTL32(017CE5E8,00000000,00000000,00000000), ref: 00C5CB55
              • ImageList_BeginDrag.COMCTL32(017CE5E8,00000000,000000F8,000000F0), ref: 00C5CB66
              • SetCapture.USER32(?), ref: 00C5CB70
              • ClientToScreen.USER32 ref: 00C5CBD1
              • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 00C5CBE0
              • ReleaseCapture.USER32 ref: 00C5CBF4
              • GetCursorPos.USER32(?), ref: 00C5CC2C
              • ScreenToClient.USER32 ref: 00C5CC3A
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C5CCA0
              • SendMessageW.USER32 ref: 00C5CCCC
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C5CD0D
              • SendMessageW.USER32 ref: 00C5CD3A
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C5CD53
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C5CD64
              • GetCursorPos.USER32(?), ref: 00C5CD82
              • ScreenToClient.USER32 ref: 00C5CD90
              • GetParent.USER32(00000000), ref: 00C5CDB1
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C5CE1A
              • SendMessageW.USER32 ref: 00C5CE4D
              • ClientToScreen.USER32 ref: 00C5CEA8
              • TrackPopupMenuEx.USER32(?,00000000,?,?,04291B68,00000000,?,?,?,?), ref: 00C5CED6
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C5CF00
              • SendMessageW.USER32 ref: 00C5CF25
              • ClientToScreen.USER32 ref: 00C5CF6F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,04291B68,00000000,?,?,?,?), ref: 00C5CFA0
              • GetWindowLongW.USER32 ref: 00C5D040
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 3100379633-4164748364
              • Opcode ID: 27a5896a6d89895491b7a61257bf40c0fe0569c6f80697e222d732ba12acdb4a
              • Instruction ID: 8f28320468c0c39205e079438784e26795fa60ac3869d1871c4ec34394fe32b4
              • Opcode Fuzzy Hash: 27a5896a6d89895491b7a61257bf40c0fe0569c6f80697e222d732ba12acdb4a
              • Instruction Fuzzy Hash: 5442EFB86043009FD724CF24CCC4F6A77A4EF88711F184658FA559B2D1D7B0E98ACBA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C143FF, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00C14407
              • FindWindowW.USER32 ref: 00C1442D
              • IsIconic.USER32(?), ref: 00C14436
              • ShowWindow.USER32(?,00000009), ref: 00C14443
              • SetForegroundWindow.USER32(?), ref: 00C14451
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C14468
              • GetCurrentThreadId.KERNEL32 ref: 00C1446C
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C1447A
              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C14489
              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C1448F
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C14498
              • SetForegroundWindow.USER32(00000000), ref: 00C1449E
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C144AD
              • keybd_event.USER32 ref: 00C144B6
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C144C4
              • keybd_event.USER32 ref: 00C144CD
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C144DB
              • keybd_event.USER32 ref: 00C144E4
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C144F2
              • keybd_event.USER32 ref: 00C144FB
              • SetForegroundWindow.USER32(00000000), ref: 00C14505
              • AttachThreadInput.USER32(00000000,?,00000000), ref: 00C14526
              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00C1452C
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 2889586943-2988720461
              • Opcode ID: bb1a4e04d3bb1b5e27f38718d64757161e5ef9c249106dbafa700790e8ef273e
              • Instruction ID: 2b10adc64b87885da4db48c4a37a7187628b07a5fe6af7357d68de7268254a98
              • Opcode Fuzzy Hash: bb1a4e04d3bb1b5e27f38718d64757161e5ef9c249106dbafa700790e8ef273e
              • Instruction Fuzzy Hash: 18415072740218BFEB345BA5DC4EFBE7B6CDB45B51F10401AFA01EA1D0DAF09940ABA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C26219, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234processCOMMON
              Download Yara Rule
              APIs
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C26294
              • CloseHandle.KERNEL32(?), ref: 00C262A6
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C262BE
              • GetProcessWindowStation.USER32 ref: 00C262D7
              • SetProcessWindowStation.USER32(00000000), ref: 00C262E1
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C262FD
              • _wcslen.LIBCMT ref: 00C2639E
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • _wcsncpy.LIBCMT ref: 00C263C6
              • LoadUserProfileW.USERENV(?,00000020), ref: 00C263DF
              • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 00C263F9
              • CreateProcessAsUserW.ADVAPI32 ref: 00C26428
              • UnloadUserProfile.USERENV(?,?), ref: 00C2645B
              • CloseWindowStation.USER32(00000000), ref: 00C26472
              • CloseDesktop.USER32(?), ref: 00C26480
              • SetProcessWindowStation.USER32(?), ref: 00C2648E
              • CloseHandle.KERNEL32(?), ref: 00C26498
              • DestroyEnvironmentBlock.USERENV(?), ref: 00C264AF
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
              • String ID: $default$winsta0
              • API String ID: 3324942560-1027155976
              • Opcode ID: 6ef2149cf2c60b0e38263dd7501e8f3666fc45ca4d8b6967bab45d32533b02db
              • Instruction ID: 9602c0499780a5349842bc10b81ce16cdac45e401d56894950d4986503d0750c
              • Opcode Fuzzy Hash: 6ef2149cf2c60b0e38263dd7501e8f3666fc45ca4d8b6967bab45d32533b02db
              • Instruction Fuzzy Hash: 26815E70A00219ABDB20DFA5DC49FAFB7B8EF44704F148148FA51A7291D7B4DA45CB71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C133A3, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00C133B3
              • OpenProcessToken.ADVAPI32(00000000), ref: 00C133BA
              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00C133CF
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00C133F3
              • GetLastError.KERNEL32 ref: 00C133F9
              • ExitWindowsEx.USER32 ref: 00C1341C
              • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00C1344B
              • SetSystemPowerState.KERNEL32 ref: 00C1345E
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
              • String ID: SeShutdownPrivilege
              • API String ID: 2938487562-3733053543
              • Opcode ID: c832af7777d20cf1901c442506e0b58f7fc4f6092927a2969eb3a5ab45a8b5e9
              • Instruction ID: 176214250a7c2aec990a671b7d88c73d40ce43fa88f4eca8b2dda35a6b9ee18a
              • Opcode Fuzzy Hash: c832af7777d20cf1901c442506e0b58f7fc4f6092927a2969eb3a5ab45a8b5e9
              • Instruction Fuzzy Hash: A121F371740205ABFB208BA5EC8EFFEBBACEB08705F104554FD09D61D1DBB69E408660
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2602A, Relevance: 16.7, APIs: 11, Instructions: 182COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C16DB5: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C16DCF
                • Part of subcall function 00C16DB5: GetLastError.KERNEL32(?,00000000,?), ref: 00C16DD9
                • Part of subcall function 00C16DB5: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C16DFF
                • Part of subcall function 00C16D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00C16D9C
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C26090
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C260C4
              • GetLengthSid.ADVAPI32(?), ref: 00C260D6
              • GetAce.ADVAPI32(?,00000000,?), ref: 00C26113
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C2612F
              • GetLengthSid.ADVAPI32(?), ref: 00C26147
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C26170
              • CopySid.ADVAPI32(00000000), ref: 00C26177
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C261A9
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C261CB
              • SetUserObjectSecurity.USER32 ref: 00C261DE
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
              • String ID:
              • API String ID: 1255039815-0
              • Opcode ID: 465d4c969648ec9c04008a467af5c9d9de42d05ab22abd48e274a21860be86e8
              • Instruction ID: f0e46befa85f233ed95101fc1f99012989e9518bfb6fe1b2bf43adfc8b061379
              • Opcode Fuzzy Hash: 465d4c969648ec9c04008a467af5c9d9de42d05ab22abd48e274a21860be86e8
              • Instruction Fuzzy Hash: 3A517B71A00219ABDB21DFA5DC84FEEBBBCAF45700F048508F525A7282D774EA45CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3A0FC, Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 1fb7d8e7f16a27862af15661e4b599bb112d60d8ac7ea0b8f04277d435a8c024
              • Instruction ID: 640c1d79784494b01e2d8ba6a98e5ad9d12bb072dc17da6b3358922d934b9ba2
              • Opcode Fuzzy Hash: 1fb7d8e7f16a27862af15661e4b599bb112d60d8ac7ea0b8f04277d435a8c024
              • Instruction Fuzzy Hash: BB41C0726105069FD310EF66EC89B6EB7F4FF14322F108599F9098B2A1DBB1E900CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3D606, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00C3D614
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 00C3D6A2
              • GetLastError.KERNEL32 ref: 00C3D6AC
              • SetErrorMode.KERNEL32(00000000,?), ref: 00C3D73E
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: ffe2e6913b046667d055dc95c823823abc44cf811a795e848bd96e5db3e32b1b
              • Instruction ID: 355551e7f2909e680cf04c74f0516dc6e5d4c10794b9389376dc07c5d87e5ad7
              • Opcode Fuzzy Hash: ffe2e6913b046667d055dc95c823823abc44cf811a795e848bd96e5db3e32b1b
              • Instruction Fuzzy Hash: 6841C075A10208DFCB10EFA5D885ADDBBF4FF09310F10859AF916AB356C771AA41CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C242E1, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: c6265b6dc991dfb755c1787cc982f31f32a5e1e7ad86abe0589598cee54ac990
              • Instruction ID: e6e357b6c256311332fb08fafbd8595fcb2310255420394e2d87aeec8a89376c
              • Opcode Fuzzy Hash: c6265b6dc991dfb755c1787cc982f31f32a5e1e7ad86abe0589598cee54ac990
              • Instruction Fuzzy Hash: 1F51B6A05047E13AFB3AD6789845BE6BF945F06300F088689F1E5558C3D3E8EA94D7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4C06C, Relevance: 9.2, APIs: 6, Instructions: 231comCOMMON
              Download Yara Rule
              APIs
              • OleInitialize.OLE32(00000000), ref: 00C4C0DC
              • _wcslen.LIBCMT ref: 00C4C0EE
              • CreateBindCtx.OLE32(00000000,?), ref: 00C4C198
              • MkParseDisplayName.OLE32 ref: 00C4C1DE
                • Part of subcall function 00C31AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00C31B16
                • Part of subcall function 00C31AB8: VariantCopy.OLEAUT32(?,?), ref: 00C31B6E
                • Part of subcall function 00C31AB8: VariantCopy.OLEAUT32(-00000068,?), ref: 00C31B84
                • Part of subcall function 00C31AB8: VariantCopy.OLEAUT32(-00000088,?), ref: 00C31B9D
                • Part of subcall function 00C31AB8: VariantClear.OLEAUT32(-00000058), ref: 00C31C17
              • CLSIDFromProgID.OLE32(00000000,?,?), ref: 00C4C284
              • GetActiveObject.OLEAUT32 ref: 00C4C29E
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
              • String ID:
              • API String ID: 2728119192-0
              • Opcode ID: aed1c183d700f86d2ccdff81d6009c1f6180f63f4417f6fd6277cdac3897c3e7
              • Instruction ID: 54ac0cf808368080d6f8380ba2cf7c08b69b02b6d71c831a62b9b1f1dae7cc6a
              • Opcode Fuzzy Hash: aed1c183d700f86d2ccdff81d6009c1f6180f63f4417f6fd6277cdac3897c3e7
              • Instruction Fuzzy Hash: 63818071618341AFD714EBA5CC81F6BB3E8BF88700F10491CF645972A1EBB0E905CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C32408, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • FindFirstFileW.KERNEL32(?,?), ref: 00C32455
              • Sleep.KERNEL32(?), ref: 00C32481
              • FindNextFileW.KERNEL32(?,?), ref: 00C3255F
              • FindClose.KERNEL32(?), ref: 00C32575
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
              • String ID: *.*
              • API String ID: 2786137511-438819550
              • Opcode ID: d6081e14825f48da316dbaabe14fd898f3dfca21aff727f21102e96ac039c3d5
              • Instruction ID: 077de89d9b0c723271c3a8f1b9ac2ee030435db82c7a6a60a4aafef1b964cf1c
              • Opcode Fuzzy Hash: d6081e14825f48da316dbaabe14fd898f3dfca21aff727f21102e96ac039c3d5
              • Instruction Fuzzy Hash: FE416E71A102199FCF14DFA9CC85AEEB7B8AF45300F148599F919A7251D730EF45CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13321, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicollmouse_event
              • String ID: DOWN
              • API String ID: 1033544147-711622031
              • Opcode ID: c452e412b3cf4dcacb7d4383d417819edac1633008770cb06cdcf440d4416b95
              • Instruction ID: e1ed234c4848c261893f04f9cd4af030ec52c07e54188654ed5e37399d12d528
              • Opcode Fuzzy Hash: c452e412b3cf4dcacb7d4383d417819edac1633008770cb06cdcf440d4416b95
              • Instruction Fuzzy Hash: 19F09B726847247AED2026953C06FF733DCCB12767F040161FE1CD6194D9917D4A56FA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C565D3, Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C44E62: inet_addr.WSOCK32(?), ref: 00C44E86
              • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00C56629
              • WSAGetLastError.WSOCK32(00000000), ref: 00C5664C
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastinet_addrsocket
              • String ID:
              • API String ID: 4170576061-0
              • Opcode ID: 5ff01b235faddc47498618187b02fe588eae85a9004761d968afef0e56015bd6
              • Instruction ID: aa374eb2244b05564948a3ff9698dce870c09bf59e03cb234c23f7edb72870a1
              • Opcode Fuzzy Hash: 5ff01b235faddc47498618187b02fe588eae85a9004761d968afef0e56015bd6
              • Instruction Fuzzy Hash: DB41E3726002006BD720EF79DC86F5AB7E4AF44720F148699F914AB3C2DBB5ED818795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5A2EA, Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C4F356: IsWindow.USER32(00000000), ref: 00C4F386
              • IsWindowVisible.USER32 ref: 00C5A322
              • IsWindowEnabled.USER32 ref: 00C5A332
              • GetForegroundWindow.USER32(?,?,?,00000001), ref: 00C5A33F
              • IsIconic.USER32 ref: 00C5A34D
              • IsZoomed.USER32 ref: 00C5A35B
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 24b3670c91c4968586aec6465e7371ba57340dc042bb7467dd9fd226226d1472
              • Instruction ID: 845f4f615c06814c6f0b5ac7b429859feebb6aa80403263696204d0a272a13ae
              • Opcode Fuzzy Hash: 24b3670c91c4968586aec6465e7371ba57340dc042bb7467dd9fd226226d1472
              • Instruction Fuzzy Hash: 3811E1367006115FE3209F2BDC08B5EBBE8AF40322F044129F805D7260DBB0ED85C7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BFA128, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00C01EE1
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C01EF6
              • UnhandledExceptionFilter.KERNEL32(00C643DC), ref: 00C01F01
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00C01F1D
              • TerminateProcess.KERNEL32(00000000), ref: 00C01F24
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 2579439406-0
              • Opcode ID: 19362648848614b3efa71a493fe803bf795fef03dcf893557d9ede2a47db5192
              • Instruction ID: 0e895defc33c91dfa540c517553252aaf8291128da31dae7669058803689a32d
              • Opcode Fuzzy Hash: 19362648848614b3efa71a493fe803bf795fef03dcf893557d9ede2a47db5192
              • Instruction Fuzzy Hash: 8621A8B8809309DBD7609F66ED4871C3BA4BB08300F5002AAFA2C97772E7B959C18B41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4E0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C22654: _wcslen.LIBCMT ref: 00C22680
              • CoInitialize.OLE32(00000000), ref: 00C4E16E
              • CoCreateInstance.OLE32(00C62A08,00000000,00000001,00C628A8,?), ref: 00C4E187
              • CoUninitialize.OLE32 ref: 00C4E1A6
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_wcslen
              • String ID: .lnk
              • API String ID: 886957087-24824748
              • Opcode ID: 3d1a1bf4b61da863ecd1ad3e2d0165b76e5f6c5ba719c7679a4d6931997af9b6
              • Instruction ID: 58a469b459b0b126f1d949d8cb5b8e1feb5cde80f343d49a6026a21384e58914
              • Opcode Fuzzy Hash: 3d1a1bf4b61da863ecd1ad3e2d0165b76e5f6c5ba719c7679a4d6931997af9b6
              • Instruction Fuzzy Hash: 14A149B6A042019FC714EF64C880E5BB7E9BF88310F15895CF9959B391CB71ED46CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C22285, Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET ref: 00C222A5
              • InternetReadFile.WININET(?,00000000,?,?), ref: 00C222DD
                • Part of subcall function 00C22252: GetLastError.KERNEL32 ref: 00C22268
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Internet$AvailableDataErrorFileLastQueryRead
              • String ID:
              • API String ID: 901099227-0
              • Opcode ID: 31c4c8bf4fee9d91c612614a27a2c75d22142f31c1bbee8ca207335ee6696909
              • Instruction ID: cab89a819255e402435fcbce1715c9d7ccef49f198fed4d11831e3afc6f1220d
              • Opcode Fuzzy Hash: 31c4c8bf4fee9d91c612614a27a2c75d22142f31c1bbee8ca207335ee6696909
              • Instruction Fuzzy Hash: 6821A771600214BBE720DF19EC81FEB73ACFF94720F00C426FA199A580D6B5EA55DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3A35D, Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 00C3A378
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: b1e60ed2a47585d39095055039666017e027d0d411de618e7703e856a8be8471
              • Instruction ID: 0e7034add16963b1b78af7207d1326976c0ec70693c6e9993aa142c2a4aae93b
              • Opcode Fuzzy Hash: b1e60ed2a47585d39095055039666017e027d0d411de618e7703e856a8be8471
              • Instruction Fuzzy Hash: 0DE0DF31200300ABC310AF66C808A6ABBE8EF94360F008429F889C7310DBB1E840C7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C394D6, Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32 ref: 00C39528
              • DeleteObject.GDI32 ref: 00C3953E
              • DestroyWindow.USER32(?), ref: 00C39550
              • GetDesktopWindow.USER32 ref: 00C3956E
              • GetWindowRect.USER32(00000000), ref: 00C39575
              • SetRect.USER32 ref: 00C3968B
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C39699
              • CreateWindowExW.USER32 ref: 00C396D5
              • GetClientRect.USER32 ref: 00C396E5
              • CreateWindowExW.USER32 ref: 00C39728
              • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C3974D
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00C39768
              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C39773
              • GlobalLock.KERNEL32 ref: 00C3977C
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C3978B
              • GlobalUnlock.KERNEL32(00000000), ref: 00C39792
              • CloseHandle.KERNEL32(00000000), ref: 00C39799
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 00C397A6
              • OleLoadPicture.OLEAUT32 ref: 00C397BD
              • GlobalFree.KERNEL32 ref: 00C397CF
              • CopyImage.USER32 ref: 00C397FB
              • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00C3981E
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00C39844
              • ShowWindow.USER32(?,00000004), ref: 00C39852
              • CreateWindowExW.USER32 ref: 00C3989C
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C398B0
              • GetStockObject.GDI32 ref: 00C398BA
              • SelectObject.GDI32(00000000,00000000), ref: 00C398C2
              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 00C398D2
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C398DB
              • DeleteDC.GDI32 ref: 00C398E5
              • _wcslen.LIBCMT ref: 00C39903
              • _wcscpy.LIBCMT ref: 00C39927
              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C399C8
              • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00C399DC
              • GetDC.USER32 ref: 00C399E9
              • SelectObject.GDI32(00000000,?,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C399F9
              • SelectObject.GDI32(00000000,00000007), ref: 00C39A24
              • ReleaseDC.USER32 ref: 00C39A2F
              • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00C39A4C
              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C39A5A
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 4040870279-2373415609
              • Opcode ID: b3c5dab70b264d307aa925a57ed301a4ced09e874f5e4ae838e3de5fa35b9586
              • Instruction ID: b8c6cb4ace1beda1845fc3678bf3646cc3c17dad6d6c8f0558b3a47335a3fe62
              • Opcode Fuzzy Hash: b3c5dab70b264d307aa925a57ed301a4ced09e874f5e4ae838e3de5fa35b9586
              • Instruction Fuzzy Hash: E1024071A00205AFDB24DF65CD89FAE7BB9FB48710F148658F919AB291C7B0ED41CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C390AA, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?), ref: 00C390DF
              • SystemParametersInfoW.USER32 ref: 00C3919C
              • SetRect.USER32 ref: 00C391DC
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C391ED
              • CreateWindowExW.USER32 ref: 00C3922F
              • GetClientRect.USER32 ref: 00C3923B
              • CreateWindowExW.USER32 ref: 00C3927D
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C3928F
              • GetStockObject.GDI32 ref: 00C39299
              • SelectObject.GDI32(00000000,00000000), ref: 00C392A1
              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 00C392B1
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C392BA
              • DeleteDC.GDI32 ref: 00C392C3
              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C39309
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C39321
              • CreateWindowExW.USER32 ref: 00C3935B
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C3936F
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C39380
              • CreateWindowExW.USER32 ref: 00C393B5
              • GetStockObject.GDI32 ref: 00C393C0
              • SendMessageW.USER32(?,00000030,00000000), ref: 00C393D0
              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C393DB
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: 36f91522a1384fd28e65c89f1e48142b47543a82a4395116383d213e9fdfb202
              • Instruction ID: 6cbf8e9202cb753eea78ed4cf6c8824ded98247e80ff72042246630e8cc1a386
              • Opcode Fuzzy Hash: 36f91522a1384fd28e65c89f1e48142b47543a82a4395116383d213e9fdfb202
              • Instruction Fuzzy Hash: B7A17F71A50204BFEB24DFA4DD8AFAE7769EB44701F108658FB05BB2D0D6F0A941CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C106A4, Relevance: 43.6, APIs: 29, Instructions: 108COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Cursor$Load
              • String ID:
              • API String ID: 1675784387-0
              • Opcode ID: e19cc8dce02efb53b10f305bcb96060409a2184558ba404df5553fa337e79397
              • Instruction ID: f9360803a563c4a689c469fac09a862e244e7c970fdf0472aa7af57ab897682c
              • Opcode Fuzzy Hash: e19cc8dce02efb53b10f305bcb96060409a2184558ba404df5553fa337e79397
              • Instruction Fuzzy Hash: B2316472988605E7E6741BE1FD0DF9D3719EB24B23F004011F30A944D0CBF59160DB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C36529, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?,?), ref: 00C36625
              • GetDesktopWindow.USER32 ref: 00C3663A
              • GetWindowRect.USER32(00000000), ref: 00C36641
              • GetWindowLongW.USER32 ref: 00C36699
              • GetWindowLongW.USER32 ref: 00C366AC
              • DestroyWindow.USER32(?), ref: 00C366BD
              • CreateWindowExW.USER32 ref: 00C3670B
              • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00C36729
              • SendMessageW.USER32(?,00000418,00000000,?), ref: 00C3673D
              • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 00C3674D
              • SendMessageW.USER32(?,00000421,?,?), ref: 00C3676D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C36783
              • IsWindowVisible.USER32 ref: 00C367A3
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C367BF
              • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00C367D3
              • GetWindowRect.USER32(?,?), ref: 00C367EA
              • MonitorFromPoint.USER32 ref: 00C36808
              • GetMonitorInfoW.USER32 ref: 00C36820
              • CopyRect.USER32 ref: 00C36835
              • SendMessageW.USER32(?,00000412,00000000), ref: 00C3688B
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
              • String ID: ($,$tooltips_class32
              • API String ID: 225202481-3320066284
              • Opcode ID: aa331fccfd0d5c55f75bb10ff4afba20bec4ef2efd8e01665fa8ee2926b3af08
              • Instruction ID: 1a4ac7f385c312024659ed0bdb4136c7d0ff581d01d195eae89828fd432a546b
              • Opcode Fuzzy Hash: aa331fccfd0d5c55f75bb10ff4afba20bec4ef2efd8e01665fa8ee2926b3af08
              • Instruction Fuzzy Hash: AEB16F70A10209AFDB54DFA9CD85FAEBBB4FF48300F10C558F55AAB281DB74AA45CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C28665, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C28716
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window
              • String ID: 0
              • API String ID: 2353593579-4108050209
              • Opcode ID: 7c980fb85843b4d470c032228194eb9a6d571413a4dd3fc18991523b90eb3676
              • Instruction ID: cbc84ff47a686cbc7d2d9cd3b32766e03eb3860f48c258647d097b76d55ac19f
              • Opcode Fuzzy Hash: 7c980fb85843b4d470c032228194eb9a6d571413a4dd3fc18991523b90eb3676
              • Instruction Fuzzy Hash: C5B1EF702053509FE324CF25DC89BABBBE4BB98344F08491CF5A1976D1CBB4EA49CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C48322, Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll$__wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 790654849-1810252412
              • Opcode ID: 0279ff954989971cbee89554b599c648cd38d17883dcd6ad19e4900fa703d6c0
              • Instruction ID: fca7eab486ef7fb3abd7bb4e2409fcd7a8175a3ad7d55ea32296c4fdcbacae64
              • Opcode Fuzzy Hash: 0279ff954989971cbee89554b599c648cd38d17883dcd6ad19e4900fa703d6c0
              • Instruction Fuzzy Hash: 41317771A04249A6CF20EA61DD93EAE73ECAF11711F600571FE50B71C5EF64AE0886A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C141CD, Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll$IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2485277191-404129466
              • Opcode ID: 954a0a98a8f120853178c871f6c54c6041cbeeb605a2e99f415e39015024e708
              • Instruction ID: baaca77e2e0bf6ee72818fc17f9e347ad972400026c8c99c92cc280ae4d6f5cb
              • Opcode Fuzzy Hash: 954a0a98a8f120853178c871f6c54c6041cbeeb605a2e99f415e39015024e708
              • Instruction Fuzzy Hash: A121B67274021AA6DB209B65BC05FEE3398DF55352F040432FA04E3186E3A1E96492F9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C345AE, Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32 ref: 00C345C1
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C345D3
              • SetWindowTextW.USER32(?,?), ref: 00C345ED
              • GetDlgItem.USER32 ref: 00C34605
              • SetWindowTextW.USER32(00000000,?), ref: 00C3460C
              • GetDlgItem.USER32 ref: 00C3461D
              • SetWindowTextW.USER32(00000000,?), ref: 00C34624
              • SendDlgItemMessageW.USER32 ref: 00C34646
              • SendDlgItemMessageW.USER32 ref: 00C34660
              • GetWindowRect.USER32(?,?), ref: 00C3466A
              • SetWindowTextW.USER32(?,?), ref: 00C346DA
              • GetDesktopWindow.USER32 ref: 00C346E4
              • GetWindowRect.USER32(00000000), ref: 00C346EB
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C34739
              • GetClientRect.USER32 ref: 00C34747
              • PostMessageW.USER32 ref: 00C34771
              • SetTimer.USER32 ref: 00C347B4
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: c0152545e0bd8a1968394d14d655b5e212b96bb3f79f0c572be3254fc3265c78
              • Instruction ID: a6026c2013c2c81a93bfe031371326b8cc5056ebdc7442048877ba42c3d281af
              • Opcode Fuzzy Hash: c0152545e0bd8a1968394d14d655b5e212b96bb3f79f0c572be3254fc3265c78
              • Instruction Fuzzy Hash: B4614AB1A00709ABDB24DFA9CD89FAFB7F8AB48704F104918F64697290D7B4F945CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C445E0, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00C44765
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C44775
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C4479D
              • _wcslen.LIBCMT ref: 00C44865
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00C44879
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C448A1
              • _wcslen.LIBCMT ref: 00C448F7
              • _wcslen.LIBCMT ref: 00C4490D
              • _wcslen.LIBCMT ref: 00C4492C
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen$Directory$CurrentSystem
              • String ID: D
              • API String ID: 1914653954-2746444292
              • Opcode ID: b346c78c3bf83cc26f787bb09264c89fa431de7fdbff30a56675e5b3c938999c
              • Instruction ID: d4cfebb6bd11447853b1275f71a0b65386c8658bbfa717f48f0d9997d99c1f79
              • Opcode Fuzzy Hash: b346c78c3bf83cc26f787bb09264c89fa431de7fdbff30a56675e5b3c938999c
              • Instruction Fuzzy Hash: 89E1D0B19043819BC314EF65C845B6BB7E8BF85300F24896CF9998B391DB35ED45CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE2190, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • __wcsicoll.LIBCMT ref: 00BE2262
              • __wcsicoll.LIBCMT ref: 00BE2278
              • __wcsicoll.LIBCMT ref: 00BE228E
                • Part of subcall function 00BF13CB: __wcsicmp_l.LIBCMT ref: 00BF144B
              • __wcsicoll.LIBCMT ref: 00BE22A4
              • _wcscpy.LIBCMT ref: 00BE22C4
              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\68821130\mofcxpne.aan,00000104), ref: 00C08AD6
              • _wcscpy.LIBCMT ref: 00C08B29
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\68821130\mofcxpne.aan$CMDLINE$CMDLINERAW
              • API String ID: 574121520-3802712307
              • Opcode ID: 329b55ffc3dd42f3a59c862da99db3c54f573c43425936be7e47759316c55b59
              • Instruction ID: ccb079b18476b7a5e9e5968ddd5b03f61382389f1a6632101a7b5b64a9a04401
              • Opcode Fuzzy Hash: 329b55ffc3dd42f3a59c862da99db3c54f573c43425936be7e47759316c55b59
              • Instruction Fuzzy Hash: 8C716371D1025E9BCF04EBE6DC92AEE77F8AF40344F1045A8E60577281EBB0A949CBD1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4910A, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessagePost$CtrlFocus
              • String ID: 0
              • API String ID: 1534620443-4108050209
              • Opcode ID: 7c9a1547ac3e5ef9773472d672847e1edcc3070b0534f22da69b575afd660355
              • Instruction ID: 39c85dfc0ed555e482058b3c448436a5f300c803084a04c9dbf3ffa00c40a1e6
              • Opcode Fuzzy Hash: 7c9a1547ac3e5ef9773472d672847e1edcc3070b0534f22da69b575afd660355
              • Instruction Fuzzy Hash: 5591C171604325AFD720DF14D885BAFB7E8FB85714F00491DFAA593291D7B0D944CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4E7D4, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
              Download Yara Rule
              APIs
              • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00C4E877
              • GetMenuItemCount.USER32(?), ref: 00C4E90B
              • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00C4E99F
              • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00C4E9A8
              • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00C4E9B1
              • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00C4E9BA
              • GetMenuItemCount.USER32 ref: 00C4E9C3
              • SetMenuItemInfoW.USER32 ref: 00C4E9FB
              • GetCursorPos.USER32(?,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00C4EA05
              • SetForegroundWindow.USER32(?,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00C4EA0F
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00C4EA25
              • PostMessageW.USER32 ref: 00C4EA32
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
              • String ID: 0
              • API String ID: 1441871840-4108050209
              • Opcode ID: 2ba340a92defa59ccb66153ba32e8a8e60b77d71d73638c37cff036f9aec7e03
              • Instruction ID: d2fe6b7f267344078e16ff7d66641dd87faffcf809e8ad37a1014a0ab7bebf5d
              • Opcode Fuzzy Hash: 2ba340a92defa59ccb66153ba32e8a8e60b77d71d73638c37cff036f9aec7e03
              • Instruction Fuzzy Hash: CD71B170A04304BBEB30CB58CC45FAAB7A8BF85724F35871AF5B56B2D1C7B4A9408B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C405C5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00C07F37,?,0000138C,?,00000001,?,?,?), ref: 00C405F5
              • LoadStringW.USER32 ref: 00C405FC
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00C07F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 00C4061C
              • LoadStringW.USER32 ref: 00C40623
              • __swprintf.LIBCMT ref: 00C40661
              • __swprintf.LIBCMT ref: 00C40679
              • _wprintf.LIBCMT ref: 00C4072D
              • MessageBoxW.USER32 ref: 00C40746
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 3631882475-2268648507
              • Opcode ID: 06bb41876dff33b02cd34fa6b2f66f168b82dd850588669504125f00bd13d2b5
              • Instruction ID: 33f071f11ad182ec95a4131d02fc1648a8061c60ed57549ea049336082b71dc5
              • Opcode Fuzzy Hash: 06bb41876dff33b02cd34fa6b2f66f168b82dd850588669504125f00bd13d2b5
              • Instruction Fuzzy Hash: B0418F72A00249ABDB10EBA1CC86EEE77BCEF44751F604465F605B7251DB70AE45CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C52095, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?), ref: 00C5225C
              • __swprintf.LIBCMT ref: 00C52273
              • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,00C6BF48), ref: 00C524A6
              • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,00C6BF48), ref: 00C524C0
              • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,00C6BF48), ref: 00C524DA
              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00C6BF48), ref: 00C524F4
              • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,00C6BF48), ref: 00C5250E
              • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,00C6BF48), ref: 00C52528
              • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,00C6BF48), ref: 00C52542
              • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,00C6BF48), ref: 00C5255C
              • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,00C6BF48), ref: 00C52576
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FolderPath$LocalTime__swprintf
              • String ID: %.3d
              • API String ID: 3337348382-986655627
              • Opcode ID: ff1588513dc5e5e29625a5f2202b367b5b4bf5c26c8ffd5cd7e6f80f3c063c60
              • Instruction ID: ddc286f4a44c3cdf35d93794b7c049405bc91f34fb12a4aab82cae95935e7ede
              • Opcode Fuzzy Hash: ff1588513dc5e5e29625a5f2202b367b5b4bf5c26c8ffd5cd7e6f80f3c063c60
              • Instruction Fuzzy Hash: 69C10E336202189BDB24EB61DC86FED73BCFB44711F4405A9FA09971C2DB719A499B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4138A, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
              • String ID: %s%u
              • API String ID: 1899580136-679674701
              • Opcode ID: 173a298de66588ac11419a05481de770b813c36980fa4965fe2802fb9238f6e3
              • Instruction ID: 419aa726e518d08f55056faff0e897bade17c3bc2e572a1ce92f22b7b6243ff9
              • Opcode Fuzzy Hash: 173a298de66588ac11419a05481de770b813c36980fa4965fe2802fb9238f6e3
              • Instruction Fuzzy Hash: F1A1C2725043019BDB10DF54C884BEA73E9FF84350F088969FD999B241DB70EA8ACBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C11329, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32 ref: 00C1139D
              • CreateCompatibleBitmap.GDI32 ref: 00C113AE
              • CreateCompatibleDC.GDI32(00000000), ref: 00C113B8
              • SelectObject.GDI32(00000000,?), ref: 00C113C5
              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00C1142B
              • GetDIBits.GDI32 ref: 00C11464
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
              • String ID: (
              • API String ID: 3300687185-3887548279
              • Opcode ID: d7fddba712598b30b5e1e256771d0913e5b0b426d83708c2afc375768cefd8cd
              • Instruction ID: f3edce6effc78603407729420b858063f2a37dc565116076189152510791d89e
              • Opcode Fuzzy Hash: d7fddba712598b30b5e1e256771d0913e5b0b426d83708c2afc375768cefd8cd
              • Instruction Fuzzy Hash: C5516D71A00309AFDB24CF99C884FAFBBB9EF49710F148419FA5597250D774AD44CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1000A, Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C10030
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00C1004B
              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C10056
              • GlobalLock.KERNEL32 ref: 00C10063
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C10072
              • GlobalUnlock.KERNEL32(00000000), ref: 00C10079
              • CloseHandle.KERNEL32(00000000), ref: 00C10080
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C1008D
              • OleLoadPicture.OLEAUT32 ref: 00C100AB
              • GlobalFree.KERNEL32 ref: 00C100BD
              • GetObjectW.GDI32(?,00000018,?), ref: 00C100E4
              • CopyImage.USER32 ref: 00C10115
              • DeleteObject.GDI32 ref: 00C1013D
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C10154
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID:
              • API String ID: 3969911579-0
              • Opcode ID: 041e49146550aa064eb994c501e0e19bcbecf2a158fae3c1c72202fdf1ed0aee
              • Instruction ID: f8d7996d2561d82eba0ef1a423094beef40339477e22d09472ea61fc7e695dcd
              • Opcode Fuzzy Hash: 041e49146550aa064eb994c501e0e19bcbecf2a158fae3c1c72202fdf1ed0aee
              • Instruction Fuzzy Hash: B1415B75600608BFD720DF65DC88FAE77B8EB49711F208158F905EB290D7B4AE41DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13478, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 1965227024-3771769585
              • Opcode ID: 33c5600368ea5a88710d69a1a53aa379f585cf4115c8cede3d026a3eadfdc7ea
              • Instruction ID: 18b8a5b4f0ac4a7fb08a3c7e17448179f10864729d8e2fd0e31bd948074dd02f
              • Opcode Fuzzy Hash: 33c5600368ea5a88710d69a1a53aa379f585cf4115c8cede3d026a3eadfdc7ea
              • Instruction Fuzzy Hash: 2C213A32A00118ABC720AB68DC45FFE73ACDF95715F0046E5FA0993181EEB19B859BB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3F55A, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C3F5C2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C3F5D9
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C3F5EB
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C3F5FE
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C3F60B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C3F621
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: SendString$_memmove_wcslen
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 369157077-1007645807
              • Opcode ID: 927507be4a7c8fbe42fba87d8e47ad38dc1bdfdd5e8f8e89e20494e6eff707f9
              • Instruction ID: d2ff5209b24a31264ed7d40c4b57ea09169701d2757b93df8f3ccd79fb7aacdc
              • Opcode Fuzzy Hash: 927507be4a7c8fbe42fba87d8e47ad38dc1bdfdd5e8f8e89e20494e6eff707f9
              • Instruction Fuzzy Hash: 62219372AA021D35D730FB95DC83FFE73B8AF80B44F104A75F614AA0D1DBB06A458A94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C29112, Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,?,000000FF,?), ref: 00C291FD
              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00C29210
              • CharNextW.USER32(?,?,?,000000FF,?), ref: 00C29242
              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00C2925A
              • SendMessageW.USER32(?,?,00000000,?), ref: 00C2928B
              • SendMessageW.USER32(?,?,000000FF,?), ref: 00C292A2
              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00C292B5
              • SendMessageW.USER32(?,00000402,?), ref: 00C292F2
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C29366
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C293D0
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$CharNext
              • String ID:
              • API String ID: 1350042424-0
              • Opcode ID: 178b66dfc51ce3883f7d7418474797919c9fe4589acdd6a15c3fd410edc72fd3
              • Instruction ID: 7f59a52dc4d2f227587e9925a3cf16344e18c27c518401e3d5d13098ffadb8cc
              • Opcode Fuzzy Hash: 178b66dfc51ce3883f7d7418474797919c9fe4589acdd6a15c3fd410edc72fd3
              • Instruction Fuzzy Hash: 1181E531A00218ABDB20DF95EC84FFE7778EF55720F108159FA14AB2C0D7B59A55CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C33126, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __swprintf_wcscpy$__i64tow__itow
              • String ID: %.15g$0x%p$False$True
              • API String ID: 3038501623-2263619337
              • Opcode ID: 1301d8133831e2dced2983f4abb533d1f1f67230a316145399122d54f25ae8d7
              • Instruction ID: 71e4d1a77298e02cfdd0dc4a9c78a9ae41d8f05b1527919484f0ad3d418eeec6
              • Opcode Fuzzy Hash: 1301d8133831e2dced2983f4abb533d1f1f67230a316145399122d54f25ae8d7
              • Instruction Fuzzy Hash: 8F41FC729101149BD710EB79DC82F7A73A8EF55310F0449F6EA09DB243EA36DA1CCB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3E525, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32 ref: 00C3E56D
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • LoadStringW.USER32 ref: 00C3E58C
              • __swprintf.LIBCMT ref: 00C3E5E3
              • _wprintf.LIBCMT ref: 00C3E690
              • _wprintf.LIBCMT ref: 00C3E6B4
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2295938435-8599901
              • Opcode ID: 2669f07a2e049b8f6255ea896c6cd0741b9d00c92d184268a1b0dd0a4d200feb
              • Instruction ID: 42c27103ad1ff89990cb6bcf8e791529135285dea2ecf194b265d89ec1c53c07
              • Opcode Fuzzy Hash: 2669f07a2e049b8f6255ea896c6cd0741b9d00c92d184268a1b0dd0a4d200feb
              • Instruction Fuzzy Hash: 62518071E1020D9BDB14EBA5CC82EEF77B8EF44340F208569F91567291EB70AE45CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3268F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock$_fseek_wcscpy
              • String ID: FILE
              • API String ID: 3888824918-3121273764
              • Opcode ID: 5e69aedeacc99a9d306e9b38aaab93969d72f8360bc8fb2c935550ec754dcb85
              • Instruction ID: 2c592d2e63da8897d2e3455e6b340059e74cd71ab466c6d71238ae75493123c5
              • Opcode Fuzzy Hash: 5e69aedeacc99a9d306e9b38aaab93969d72f8360bc8fb2c935550ec754dcb85
              • Instruction Fuzzy Hash: E94146B2910208B7DB20DBA4DC81FEB73B9EF98710F144959FA0497181E7B59B44CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C157C5, Relevance: 18.2, APIs: 12, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32 ref: 00C157E9
              • GetWindowRect.USER32(00000000,?), ref: 00C157FB
              • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00C15865
              • GetDlgItem.USER32 ref: 00C15878
              • GetWindowRect.USER32(00000000,?), ref: 00C1588A
              • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 00C158DC
              • GetDlgItem.USER32 ref: 00C158EA
              • GetWindowRect.USER32(00000000,?), ref: 00C158FC
              • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00C15941
              • GetDlgItem.USER32 ref: 00C1594F
              • MoveWindow.USER32(00000000,?,?,?,-000000FB,00000000), ref: 00C15968
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00C15975
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: 7b3929ced69677ec38281f1ec00c0ec3102b2dc29fbd2a7afb070de168901e9a
              • Instruction ID: eecde310a61f25506e45b2bb29908aaa0bcc78d9075de8c9aa48029d801b08f4
              • Opcode Fuzzy Hash: 7b3929ced69677ec38281f1ec00c0ec3102b2dc29fbd2a7afb070de168901e9a
              • Instruction Fuzzy Hash: BC515D71B00609AFDB18CF69CD95BAEB7BABB88310F148129F915E7390D770EE418B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C46555, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
              Download Yara Rule
              APIs
              • _wcsncpy.LIBCMT ref: 00C465DD
              • _wcsncpy.LIBCMT ref: 00C46609
                • Part of subcall function 00BEF260: _wcslen.LIBCMT ref: 00BEF262
                • Part of subcall function 00BEF260: _wcscpy.LIBCMT ref: 00BEF282
              • _wcstok.LIBCMT ref: 00C4664C
                • Part of subcall function 00BF3DD8: __getptd.LIBCMT ref: 00BF3DDE
              • _wcstok.LIBCMT ref: 00C466FF
              • GetOpenFileNameW.COMDLG32(00000058), ref: 00C468C1
              • _wcslen.LIBCMT ref: 00C468E0
              • _wcscpy.LIBCMT ref: 00C4678E
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
              • _wcslen.LIBCMT ref: 00C4690A
              • GetSaveFileNameW.COMDLG32(00000058), ref: 00C46954
                • Part of subcall function 00C411B1: _memmove.LIBCMT ref: 00C41244
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
              • String ID: X
              • API String ID: 3104067586-3081909835
              • Opcode ID: c0a888dbf650196513eb9f9c82fa7efe6d9d29be4792e49a474b1c625492492e
              • Instruction ID: 98607e2908a12c53799a61401e5b12578ac5674f121e36e6ac8370272e014ccf
              • Opcode Fuzzy Hash: c0a888dbf650196513eb9f9c82fa7efe6d9d29be4792e49a474b1c625492492e
              • Instruction Fuzzy Hash: D7C1E4716043448FD724EF65C881AAFB3E5BF85314F108A6CF999872A2DB70ED45CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C58610, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 197COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C3366C: CharLowerBuffW.USER32(?,?), ref: 00C33681
                • Part of subcall function 00C259E6: _wcslen.LIBCMT ref: 00C259F6
              • GetDriveTypeW.KERNEL32(?), ref: 00C58773
              • _wcscpy.LIBCMT ref: 00C5879F
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy_wcslen
              • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 3052893215-3593318738
              • Opcode ID: 0f5bb6a29ab0467d7788f8fadd115fbfdd174fab9960cfb97dd233547515eb5f
              • Instruction ID: 5c2cf916ea3ffa7acde6b4c77b7d912dc6fd4899657f68907b4f252bba2003c1
              • Opcode Fuzzy Hash: 0f5bb6a29ab0467d7788f8fadd115fbfdd174fab9960cfb97dd233547515eb5f
              • Instruction Fuzzy Hash: EE61CE766083009BC710EF54D882A5AB7E4EB98341F14482DFD94A7393DB71EA8D8B96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C385C8, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C38698
              • RegConnectRegistryW.ADVAPI32 ref: 00C386B5
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00C386D3
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00C38701
              • CLSIDFromString.OLE32(?,?), ref: 00C3872A
              • RegCloseKey.ADVAPI32(000001FE), ref: 00C38736
              • RegCloseKey.ADVAPI32(?), ref: 00C3873C
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 600699880-22481851
              • Opcode ID: 8d39e007c599f72b64a47ce3b8920537a800faa69c69db22d19f9ee4754d0f3d
              • Instruction ID: a1a7608243e789484a973a98a5f3ee28614b6e1e010ee54b82dd41e1fb6a7d67
              • Opcode Fuzzy Hash: 8d39e007c599f72b64a47ce3b8920537a800faa69c69db22d19f9ee4754d0f3d
              • Instruction Fuzzy Hash: 1F417176D1020DABCB14EFA5DC85BEE73B9EF44300F208465FA15A7251DB74A909CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4B028, Relevance: 16.9, APIs: 11, Instructions: 400registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • RegConnectRegistryW.ADVAPI32 ref: 00C4B103
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ConnectRegistry_memmove_wcslen
              • String ID:
              • API String ID: 15295421-0
              • Opcode ID: c741edf910eb3fdadb294453b6bfbd419c6ced211dde4fdf4bdd2313d4e075da
              • Instruction ID: 9c57ef95d7702a4c8455e7e9e0f79a299f7a04f8a0671e6cddbda4fca93bdf8e
              • Opcode Fuzzy Hash: c741edf910eb3fdadb294453b6bfbd419c6ced211dde4fdf4bdd2313d4e075da
              • Instruction Fuzzy Hash: F6E16BB1604241ABD714EF29CC82F2BB7E8BF88704F148A4CF5958B281DB75ED05CB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5931C, Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,00C595B7), ref: 00C5933A
              • SafeArrayAllocData.OLEAUT32 ref: 00C59389
              • VariantInit.OLEAUT32 ref: 00C5939B
              • SafeArrayAccessData.OLEAUT32(00C595B7,?), ref: 00C593BC
              • VariantCopy.OLEAUT32(?,?), ref: 00C5941B
              • SafeArrayUnaccessData.OLEAUT32 ref: 00C5942E
              • VariantClear.OLEAUT32(?), ref: 00C59443
              • SafeArrayDestroyData.OLEAUT32(00C595B7), ref: 00C59468
              • SafeArrayDestroyDescriptor.OLEAUT32 ref: 00C59472
              • VariantClear.OLEAUT32(?), ref: 00C59484
              • SafeArrayDestroyDescriptor.OLEAUT32 ref: 00C594A1
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 9c5aec9f0738176dc98ee7ff07fee1db6af3c1b2de42e2e584e784044cfcdfe0
              • Instruction ID: 72ddb862d6aad6bb1f357929d07033a8df96494750513ff6482dc314231c1127
              • Opcode Fuzzy Hash: 9c5aec9f0738176dc98ee7ff07fee1db6af3c1b2de42e2e584e784044cfcdfe0
              • Instruction Fuzzy Hash: 54517176A00219EFCB10DFE5DC84AEEB7B9FF48305F104599E905A7201DB70DA4ADBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C246C5, Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 0999c347be357fc3054ec46632f2ca2f4562754a386d00988a6d40ef87268028
              • Instruction ID: 7a2a7a9b14042f7e0fcb9b6208a8667cdffcc5390f833d6e576418c5ca3b3494
              • Opcode Fuzzy Hash: 0999c347be357fc3054ec46632f2ca2f4562754a386d00988a6d40ef87268028
              • Instruction Fuzzy Hash: 93411934604BE95BFF398764A8043A6BAE16F23750F04804ED5F547DC1D7E59AC8C7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13044, Relevance: 16.6, APIs: 11, Instructions: 122COMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 00C13058
              • __swprintf.LIBCMT ref: 00C1306A
              • __wcsicoll.LIBCMT ref: 00C13077
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00C1308A
              • LoadResource.KERNEL32(?,00000000), ref: 00C130A2
              • LockResource.KERNEL32(00000000), ref: 00C130AF
              • FindResourceW.KERNEL32(?,?,00000003), ref: 00C130DC
              • LoadResource.KERNEL32(?,00000000), ref: 00C130EA
              • SizeofResource.KERNEL32(?,00000000), ref: 00C130F9
              • LockResource.KERNEL32(?), ref: 00C13105
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
              • String ID:
              • API String ID: 1158019794-0
              • Opcode ID: 89e1a2c1f960ba97f60440b7cd8763b91ef9b0df23ad38fb476ec5e944c6e336
              • Instruction ID: d2a00e5abe12c976e729ace6083d91b8a51fb2f5ad2c4bd0e9db2a37fb158cd4
              • Opcode Fuzzy Hash: 89e1a2c1f960ba97f60440b7cd8763b91ef9b0df23ad38fb476ec5e944c6e336
              • Instruction Fuzzy Hash: 0641BE72604219ABCB20DF65EC84FEF77A9EB8A710F008156F915D6240E7B1DA91C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C34262, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc_free_malloc$_strcat_strlen
              • String ID: AU3_FreeVar
              • API String ID: 2634073740-771828931
              • Opcode ID: 8d4695c1de4a77bb4310893f9fc0f0eef231c8c6ec907add23962a6b8cfbcda4
              • Instruction ID: 6c0af6d921b7b7f555782b219232d8b4ecb0f88998688fbbbf2aec4e391f5a0d
              • Opcode Fuzzy Hash: 8d4695c1de4a77bb4310893f9fc0f0eef231c8c6ec907add23962a6b8cfbcda4
              • Instruction Fuzzy Hash: A9B16DB4A00206DFCB04DF69C885A6AB7F5FF88314F2485A9E9258B362D735FD51CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C510AB, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C36308: GetCursorPos.USER32(?), ref: 00C3631D
                • Part of subcall function 00C36308: ScreenToClient.USER32 ref: 00C3633A
                • Part of subcall function 00C36308: GetAsyncKeyState.USER32 ref: 00C36377
                • Part of subcall function 00C36308: GetAsyncKeyState.USER32 ref: 00C36387
              • DefDlgProcW.USER32(?,00000205,?,?), ref: 00C510FF
              • ImageList_DragLeave.COMCTL32(00000000), ref: 00C5111D
              • ImageList_EndDrag.COMCTL32 ref: 00C51123
              • ReleaseCapture.USER32 ref: 00C51129
              • SetWindowTextW.USER32(?,00000000), ref: 00C511C0
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C511D0
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
              • String ID: @GUI_DRAGFILE$@GUI_DROPID
              • API String ID: 2483343779-2107944366
              • Opcode ID: 330b7db6689b6cc125c19d48e1db19ffbe7695d87d796e7b228f0668ce56b502
              • Instruction ID: 46faacfe2b0706c01eb929a96f905ef932ebdf54ff9065b672c004ec47af0243
              • Opcode Fuzzy Hash: 330b7db6689b6cc125c19d48e1db19ffbe7695d87d796e7b228f0668ce56b502
              • Instruction Fuzzy Hash: 43510F746003009BC714EF28CC89BAF73A4FF88340F544A69F9519B2A2DB709D48CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C30566, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C30616
              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C3062A
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C3064B
              • _wcslen.LIBCMT ref: 00C30696
              • _wcscat.LIBCMT ref: 00C306A9
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C306C2
              • SendMessageW.USER32(?,00001061,?,?), ref: 00C306F4
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Window_wcscat_wcslen
              • String ID: -----$SysListView32
              • API String ID: 4008455318-3975388722
              • Opcode ID: fda561e9a402daf41558d55b8c83a9de9539571564dce79678e15f7f8b12b555
              • Instruction ID: 15e7db10f818ab19e174bbfb90428c4521feafb575445afaedae01bc5f39a3bc
              • Opcode Fuzzy Hash: fda561e9a402daf41558d55b8c83a9de9539571564dce79678e15f7f8b12b555
              • Instruction Fuzzy Hash: 7D51D171A10308ABDB24CFA4CC89FEA77B9EF88304F104659F958A72C1D7B5D994CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2807C, Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C28101
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C28104
              • GetWindowLongW.USER32 ref: 00C28128
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C2814B
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C281BF
              • SendMessageW.USER32(?,00001074,?,00000007), ref: 00C2820D
              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C28228
              • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 00C2824A
              • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00C28261
              • SendMessageW.USER32(?,00001008,?,00000007), ref: 00C28279
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$LongWindow
              • String ID:
              • API String ID: 312131281-0
              • Opcode ID: 6516d6e6387efde964894af3d40f93c9d18f13c315dae2a7c41dfeb097374f96
              • Instruction ID: e6dbfd94f9a966002ecd6675e0d097920a11b8f6b70d2e8091445f2e1f6a446f
              • Opcode Fuzzy Hash: 6516d6e6387efde964894af3d40f93c9d18f13c315dae2a7c41dfeb097374f96
              • Instruction Fuzzy Hash: 20618D70A41618AFDB10DF94DC85FEE73B8BF49310F104199FA14AB2D1DBB0AA45CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14608, Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00C1462A
              • GetForegroundWindow.USER32(00000000), ref: 00C1463C
              • GetWindowThreadProcessId.USER32(00000000), ref: 00C14643
              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C14658
              • GetWindowThreadProcessId.USER32(?,?), ref: 00C14666
              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C1467F
              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C1468D
              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00C146DA
              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00C146EE
              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00C146F9
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 28dc883789a894bf58e02a9fd52b65254c7ae4ede0ea2ce80607cfba8260f968
              • Instruction ID: a600c042f6a94095063ff6974784d7403e612cf18990bb44231fbc768d9097de
              • Opcode Fuzzy Hash: 28dc883789a894bf58e02a9fd52b65254c7ae4ede0ea2ce80607cfba8260f968
              • Instruction Fuzzy Hash: 6C318DB1600204AFDB25DF69DC94FBEB7A9FB4A318F05425AF811C7250D7B09E80DB68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C484CB, Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 0-1603158881
              • Opcode ID: 694e0d35b3f3fa6e8accf7fe8b4f3fd5044a663d7915ee6b84625e27302f9be0
              • Instruction ID: 98ee10ec5dadffbaec860967e68f3a3d0297810f0439ee7a56c5cbd1f9cbf8bf
              • Opcode Fuzzy Hash: 694e0d35b3f3fa6e8accf7fe8b4f3fd5044a663d7915ee6b84625e27302f9be0
              • Instruction Fuzzy Hash: 64A17E728002049ADF10EFA4D882BEE73B4BF14304F548479ED59AB186EF74A64DDBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C28524, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup
              • String ID: 0
              • API String ID: 161812096-4108050209
              • Opcode ID: 570a26d4690c4a38c610853c334972fe801e46244016dfc3393e5e5795f8a85b
              • Instruction ID: 28e00de999bcc058dd77651a4e4e3baacb6ca9612b0ffdcc117dcfb0a1df2de6
              • Opcode Fuzzy Hash: 570a26d4690c4a38c610853c334972fe801e46244016dfc3393e5e5795f8a85b
              • Instruction Fuzzy Hash: DA418B75A01219AFDB10CFA9E884B9AB7B4FF4C310F148159FD199B341EB70A945CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1401B, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,00C890E8,?,00000100,?,C:\Users\user\68821130\mofcxpne.aan), ref: 00C1403E
              • LoadStringW.USER32 ref: 00C14047
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C1405C
              • LoadStringW.USER32 ref: 00C1405F
              • _wprintf.LIBCMT ref: 00C14088
              • MessageBoxW.USER32 ref: 00C140A0
              Strings
              • C:\Users\user\68821130\mofcxpne.aan, xrefs: 00C14027
              • %s (%d) : ==> %s: %s %s, xrefs: 00C14083
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\68821130\mofcxpne.aan
              • API String ID: 3648134473-3870100001
              • Opcode ID: 2e2573e1ae15b9c085676d7a0676315e5f0253d649221c5e94696a3335283457
              • Instruction ID: 51cd2521675bdb4bfa2224bb6cdf906cbc6188f27340e99e6d281aa4f17d1cd3
              • Opcode Fuzzy Hash: 2e2573e1ae15b9c085676d7a0676315e5f0253d649221c5e94696a3335283457
              • Instruction Fuzzy Hash: 940148B1A543187AE724A755DC46FFA776CD784B01F00419AB748A618099F06D848BB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C36151, Relevance: 13.7, APIs: 9, Instructions: 164COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 861ec4ba7489406548f00c1d21346f60a636bdf0f71d8e87f23d36a8c8613feb
              • Instruction ID: 8fb19786734782dd591376522be6625f474021a5afc4a380f887d19d79cc3824
              • Opcode Fuzzy Hash: 861ec4ba7489406548f00c1d21346f60a636bdf0f71d8e87f23d36a8c8613feb
              • Instruction Fuzzy Hash: F9515B71610305BBDB20DF69DC81FAB77A8BB48714F108618FA25DB2D0D7B2E9548B94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C210EC, Relevance: 13.6, APIs: 9, Instructions: 142COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 460af7da68de40e5b7c993531f3e5f5ce871d59f9501d10bcd16707d1d01b6a4
              • Instruction ID: c596b57e265326a79672f9c838c09a9be33333d4c588d07ab0632c795f1cda06
              • Opcode Fuzzy Hash: 460af7da68de40e5b7c993531f3e5f5ce871d59f9501d10bcd16707d1d01b6a4
              • Instruction Fuzzy Hash: 484106322146409AE3319B2DFCC4BEEBB98FBB6325F14001BF58585991C2F6B4959721
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C126D5, Relevance: 13.5, APIs: 9, Instructions: 42COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: e262d194943d34601d30f8bf4c97cc0d4fe90377e25f7ba7ad88414dc9b347a0
              • Instruction ID: aa28eaa57f850db39197535e12974722dd99429d7fb86a24608726fe0aa5b5b6
              • Opcode Fuzzy Hash: e262d194943d34601d30f8bf4c97cc0d4fe90377e25f7ba7ad88414dc9b347a0
              • Instruction Fuzzy Hash: 7F01FFB7000B486AD631E7B9DC40FD7B7ED5F95200F018E1DE69A87454DA75F188CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BE9400, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
              Download Yara Rule
              APIs
              • InterlockedIncrement.KERNEL32(00C87F04), ref: 00C0C5DF
              • InterlockedDecrement.KERNEL32(00C87F04), ref: 00C0C5FD
              • Sleep.KERNEL32(?), ref: 00C0C605
              • InterlockedIncrement.KERNEL32(00C87F04), ref: 00C0C610
              • InterlockedDecrement.KERNEL32(00C87F04), ref: 00C0C6C2
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Interlocked$DecrementIncrement$Sleep
              • String ID: @COM_EVENTOBJ
              • API String ID: 327565842-2228938565
              • Opcode ID: 639ff53c34a9955fdb6b92d355f4175ececb65a1de7f49130bcfc906dfc237a4
              • Instruction ID: 4c1c5a2037c9b86b0fa325aef15df84884c4e701a05fb466ec8ae9ca3c7c7501
              • Opcode Fuzzy Hash: 639ff53c34a9955fdb6b92d355f4175ececb65a1de7f49130bcfc906dfc237a4
              • Instruction Fuzzy Hash: 00D1B071D002099BCB10EF95C8C5BEEB3F4FF44304F248669E515AB292DB75AE46CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C152D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
              Download Yara Rule
              APIs
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C152F4
              • VariantClear.OLEAUT32(?), ref: 00C1532E
              • SafeArrayUnaccessData.OLEAUT32 ref: 00C1534E
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C15381
              • VariantClear.OLEAUT32(?), ref: 00C153C1
              • SafeArrayUnaccessData.OLEAUT32 ref: 00C15404
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
              • String ID: crts
              • API String ID: 586820018-3724388283
              • Opcode ID: 9d658927c77f519102e5b078fcd075de7a14711656511c692a62fa817b0831b0
              • Instruction ID: 4e189c805351eb51331197ec47ffca550b8f804804d8a1b7f6f9ca617b844b56
              • Opcode Fuzzy Hash: 9d658927c77f519102e5b078fcd075de7a14711656511c692a62fa817b0831b0
              • Instruction Fuzzy Hash: 42419FB5200608DBDB20CF19D880BAAB7B5FF9C314F24812AEE59CB355D771E951CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2B415, Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C2B433
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C2B466
              • EnterCriticalSection.KERNEL32(?), ref: 00C2B483
              • _memmove.LIBCMT ref: 00C2B4E1
              • _memmove.LIBCMT ref: 00C2B504
              • LeaveCriticalSection.KERNEL32(?), ref: 00C2B513
              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C2B52F
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C2B544
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
              • String ID:
              • API String ID: 2737351978-0
              • Opcode ID: e699eb530ce1eda58ad8640ea03d63a2dc8bcda88e0d3a317e1911efc3cc5fd0
              • Instruction ID: 7e27fc0232e6b1fd307291277cbb9fc71b1431035f20277e8a9e32ebcdb0238b
              • Opcode Fuzzy Hash: e699eb530ce1eda58ad8640ea03d63a2dc8bcda88e0d3a317e1911efc3cc5fd0
              • Instruction Fuzzy Hash: B0419A71900608EBC720DF99D885EAFB7F8FF48710F008969FA9697650D7B0EA44DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF5134, Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
              Download Yara Rule
              APIs
              • ___set_flsgetvalue.LIBCMT ref: 00BF515A
              • __calloc_crt.LIBCMT ref: 00BF5166
              • __getptd.LIBCMT ref: 00BF5173
              • CreateThread.KERNEL32 ref: 00BF519A
              • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BF51AA
              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00BF51B5
              • _free.LIBCMT ref: 00BF51BE
              • __dosmaperr.LIBCMT ref: 00BF51C9
                • Part of subcall function 00BF7E9A: __getptd_noexit.LIBCMT ref: 00BF7E9A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
              • String ID:
              • API String ID: 3638380555-0
              • Opcode ID: 6bc8abd5477834e7a607443c9440a08760f818d063473fe998abe571784f0fca
              • Instruction ID: 55f928efb1589791b409740b7ec0aa5923f211c3bfb48af5eaf661af21c8c67a
              • Opcode Fuzzy Hash: 6bc8abd5477834e7a607443c9440a08760f818d063473fe998abe571784f0fca
              • Instruction Fuzzy Hash: D111A372145F0C6AD6302BB55C45B7B77D8EF81B70F2002DAFB14A72D2DFB199088661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C450C6, Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00C45196
                • Part of subcall function 00C3875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,00C46CC2,?,00C53B72,00C53B72,?), ref: 00C3877B
              • inet_addr.WSOCK32(?,00000000,?,?), ref: 00C451D8
              • gethostbyname.WSOCK32(?), ref: 00C451E3
              • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00C45259
              • _memmove.LIBCMT ref: 00C45307
              • GlobalFree.KERNEL32 ref: 00C45399
              • WSACleanup.WSOCK32 ref: 00C4539F
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
              • String ID:
              • API String ID: 2945290962-0
              • Opcode ID: bfb1716d806b7d43d17d520216aad2cde5064079f71a3f3798ce898b2b6bc475
              • Instruction ID: ca2c36cecaefe3303ec9bd1264f944438cad08d2020dd984ea2b8e9674b334aa
              • Opcode Fuzzy Hash: bfb1716d806b7d43d17d520216aad2cde5064079f71a3f3798ce898b2b6bc475
              • Instruction Fuzzy Hash: 44A1BE72204300AFC310EF65CC81FAEB7E9BF89740F144959F69497292D7B0EA44CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2045D, Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
              Download Yara Rule
              APIs
              • GetSystemMetrics.USER32 ref: 00C2049C
              • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C206D8
              • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00C206F7
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00C2071A
              • SendMessageW.USER32(?,00000469,?,00000000), ref: 00C2074F
              • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 00C20772
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C2078C
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
              • String ID:
              • API String ID: 1457242333-0
              • Opcode ID: ac85f74e4628506af22c4870e73384e31bf3bcf9844cc76e7e6daf3da85ea3d3
              • Instruction ID: 63f365a318cd163eab2e69a10c329a9144d731128f7c350057949376fdd00233
              • Opcode Fuzzy Hash: ac85f74e4628506af22c4870e73384e31bf3bcf9844cc76e7e6daf3da85ea3d3
              • Instruction Fuzzy Hash: 2CB1AF30600629DFCB14CF68D9847AEBBF1FF88701F24851AF8A597691D774AA50CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C27273, Relevance: 10.7, APIs: 7, Instructions: 210COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C270BF: DeleteObject.GDI32 ref: 00C270FC
                • Part of subcall function 00C270BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00C2713C
                • Part of subcall function 00C270BF: SelectObject.GDI32(?,00000000), ref: 00C2714C
                • Part of subcall function 00C270BF: BeginPath.GDI32 ref: 00C27161
                • Part of subcall function 00C270BF: SelectObject.GDI32(?,00000000), ref: 00C2718A
              • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 00C273E8
              • MoveToEx.GDI32 ref: 00C273F8
              • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 00C27433
              • LineTo.GDI32(?,?,FFFFFFFE), ref: 00C2743C
              • CloseFigure.GDI32(?), ref: 00C27443
              • SetPixel.GDI32 ref: 00C27452
              • Rectangle.GDI32 ref: 00C2746E
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
              • String ID:
              • API String ID: 4082120231-0
              • Opcode ID: 6155414f5a1176a1de48938bdb2c4955e230405e775ad9ae9960ffcf483814d3
              • Instruction ID: 01e110f4787a638cfed0a4c6a37127ed22c79b1d941ccf2e1560ed4f5b357404
              • Opcode Fuzzy Hash: 6155414f5a1176a1de48938bdb2c4955e230405e775ad9ae9960ffcf483814d3
              • Instruction Fuzzy Hash: CE7149B4904619EFDB14DF95C884EBEBBB9EF89310F248249F851A7241C774AE41DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4A3F6, Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • RegConnectRegistryW.ADVAPI32 ref: 00C4A51C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00C4A548
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C4A573
              • RegEnumValueW.ADVAPI32 ref: 00C4A5A6
              • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 00C4A5CF
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C4A608
              • RegCloseKey.ADVAPI32(?), ref: 00C4A613
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
              • String ID:
              • API String ID: 2027346449-0
              • Opcode ID: 5cef1167edbc41cb874d767c9aa1c288a006c6c7d821475a6c11611ecd111211
              • Instruction ID: 228c8b84d17fc75b70453e9a5b32f904d8dc33fc0d9460b7e030d3fe610166fa
              • Opcode Fuzzy Hash: 5cef1167edbc41cb874d767c9aa1c288a006c6c7d821475a6c11611ecd111211
              • Instruction Fuzzy Hash: 36613A72218341AFD704EF65C881E6FB7E9BF88704F04895CF69587281DB75EA04CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5A628, Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
                • Part of subcall function 00C4F356: IsWindow.USER32(00000000), ref: 00C4F386
              • GetMenu.USER32 ref: 00C5A6BD
              • GetMenuItemCount.USER32(00000000), ref: 00C5A709
              • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 00C5A73D
              • _wcslen.LIBCMT ref: 00C5A758
              • GetMenuItemID.USER32(00000000,?), ref: 00C5A79A
              • GetSubMenu.USER32 ref: 00C5A7AC
              • PostMessageW.USER32 ref: 00C5A83E
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
              • String ID:
              • API String ID: 3257027151-0
              • Opcode ID: ebc82d9cf3df3e5429755462cac02c47043efee08a81f4e5b977ede95eb655f6
              • Instruction ID: 8785c0d9325a6c694b770c8465c070e95b705e463ca39bbcc583cf1d00a6b38f
              • Opcode Fuzzy Hash: ebc82d9cf3df3e5429755462cac02c47043efee08a81f4e5b977ede95eb655f6
              • Instruction Fuzzy Hash: 3E51B6766043019BC310EF65D881B5FB7E8FF88315F044A1DF959A7241D771DA88CBA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4C3A9, Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00C4C54C
              • WSAGetLastError.WSOCK32(00000000), ref: 00C4C55D
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastselect
              • String ID:
              • API String ID: 215497628-0
              • Opcode ID: c5f422997fee463a84be5c48fb45f75643e987f3b62cc03310664f84dafadc65
              • Instruction ID: 9e85a0249f964057c68ca86ee2098aa570f43941d342a262a810f123edac078f
              • Opcode Fuzzy Hash: c5f422997fee463a84be5c48fb45f75643e987f3b62cc03310664f84dafadc65
              • Instruction Fuzzy Hash: EE511972A00104ABC710EBA9DC85FBEB7E8FB88720F148599F919D7291DB31ED05C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C244D9, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 43d4962802a079d4f2e53ad5eccbc608c1a6c457806d00a9086d2dcfcf7d875d
              • Instruction ID: 97e1df1ae6864dd5d79df0125be3813db5d045eb45a677503a981b867ac3f517
              • Opcode Fuzzy Hash: 43d4962802a079d4f2e53ad5eccbc608c1a6c457806d00a9086d2dcfcf7d875d
              • Instruction Fuzzy Hash: 2751FCB0508BE13BF73A93689C45BF6BF956F07700F088649F1E5168C2D3A4EA94D791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5557E, Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00C555C2
              • Process32FirstW.KERNEL32 ref: 00C555D2
              • __wsplitpath.LIBCMT ref: 00C555FE
                • Part of subcall function 00BF392E: __wsplitpath_helper.LIBCMT ref: 00BF3970
              • _wcscat.LIBCMT ref: 00C55611
              • __wcsicoll.LIBCMT ref: 00C55635
              • Process32NextW.KERNEL32 ref: 00C55665
              • CloseHandle.KERNEL32(00000000), ref: 00C55674
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
              • String ID:
              • API String ID: 2547909840-0
              • Opcode ID: 165794994b6589c6bac728bc36467fc79074d74c7007d118996ed513afe4b8dd
              • Instruction ID: 23fa09e198477b3125e23318b9e898986c363646dbf4c14fd3270542d9efe49f
              • Opcode Fuzzy Hash: 165794994b6589c6bac728bc36467fc79074d74c7007d118996ed513afe4b8dd
              • Instruction Fuzzy Hash: 26515375900619ABDB10DF95CC85BDE77B8AF44701F1084D4FA09AB282DB74AF48CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C29783, Relevance: 10.6, APIs: 7, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3dc7d3e2953a7fcf3f724a5e697bdf44f5efacb0f63027ad5c3a2ad6d51be0e
              • Instruction ID: 9e46dda067e4e7c9d609abca735d7bd454d64b62396601bc299a6a6406c830d5
              • Opcode Fuzzy Hash: b3dc7d3e2953a7fcf3f724a5e697bdf44f5efacb0f63027ad5c3a2ad6d51be0e
              • Instruction Fuzzy Hash: 9741FB31904124ABD720DF59EC84FEE7764EF47320F188265F969AB6D1C7B05E42DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C101F8, Relevance: 9.3, APIs: 6, Instructions: 255COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Rect$Client$Window$MetricsScreenSystem
              • String ID:
              • API String ID: 3220332590-0
              • Opcode ID: d922e40a7e80d78e446064ecc45304deb253b3b95a8a8f381be3bb53de97c45a
              • Instruction ID: 122b24c6641d67dccfbb955a0dabdfec74a0eb7a313a2519000cfbbb64e1b740
              • Opcode Fuzzy Hash: d922e40a7e80d78e446064ecc45304deb253b3b95a8a8f381be3bb53de97c45a
              • Instruction Fuzzy Hash: A5A15A75A0070ADBCB20CFB8C5847EEB7B1FF59314F108519E9A9D7250E7B0AA94EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2C48A, Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00C2C4E6
              • SetKeyboardState.USER32(00000080), ref: 00C2C50A
              • PostMessageW.USER32 ref: 00C2C54B
              • PostMessageW.USER32 ref: 00C2C583
              • PostMessageW.USER32 ref: 00C2C5A5
              • SendInput.USER32(00000001,?,0000001C), ref: 00C2C638
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessagePost$KeyboardState$InputSend
              • String ID:
              • API String ID: 2221674350-0
              • Opcode ID: 79c39c13d33d7e46511c7b863d94e53a9db0cbd28ae85a82d38815a7a51f8dbf
              • Instruction ID: ffe070a7272f491c061e30008afb57dd9b04683a35203dbda0d477332fd8fc17
              • Opcode Fuzzy Hash: 79c39c13d33d7e46511c7b863d94e53a9db0cbd28ae85a82d38815a7a51f8dbf
              • Instruction Fuzzy Hash: 44515DB250012866DB20EFA9ECC5BFE7B68EF96310F004166FD9497182C375DA41E7E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2379E, Relevance: 9.1, APIs: 6, Instructions: 76COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BEF260: _wcslen.LIBCMT ref: 00BEF262
                • Part of subcall function 00BEF260: _wcscpy.LIBCMT ref: 00BEF282
              • _wcslen.LIBCMT ref: 00C237D1
              • _wcslen.LIBCMT ref: 00C237EA
              • _wcstok.LIBCMT ref: 00C237FC
              • _wcslen.LIBCMT ref: 00C23810
              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C2381E
              • _wcstok.LIBCMT ref: 00C23835
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
              • String ID:
              • API String ID: 3632110297-0
              • Opcode ID: f968fdec4cf93e86a2faa8546d6e74f02d2147fed5377f7badd7e9149914b806
              • Instruction ID: c0906fd4169dfe4412fab89167987d273058f7ad243ac5b73b7d21e988493e7e
              • Opcode Fuzzy Hash: f968fdec4cf93e86a2faa8546d6e74f02d2147fed5377f7badd7e9149914b806
              • Instruction Fuzzy Hash: 282104B2900248ABCB10DFA9DC819BFB7F8FF80710F14486DF91993201D775EA9487A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13187, Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00C88178), ref: 00C1319E
              • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00C88178), ref: 00C131B9
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C88178), ref: 00C131C3
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00C88178), ref: 00C131CB
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C88178), ref: 00C131D5
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 565853f6769407264942700bce0436100c1384a159932ba5c4158bda1d4d469f
              • Instruction ID: d8d8dfcc68e4791e2c974b9a3fc33f120fca622fac4ea2791387b6f379f55911
              • Opcode Fuzzy Hash: 565853f6769407264942700bce0436100c1384a159932ba5c4158bda1d4d469f
              • Instruction Fuzzy Hash: 9D11D332D0411DABCF10AF99E904AEDB778FF4A722F014555EA04B3244DB709A419BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C27199, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C270BF: DeleteObject.GDI32 ref: 00C270FC
                • Part of subcall function 00C270BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00C2713C
                • Part of subcall function 00C270BF: SelectObject.GDI32(?,00000000), ref: 00C2714C
                • Part of subcall function 00C270BF: BeginPath.GDI32 ref: 00C27161
                • Part of subcall function 00C270BF: SelectObject.GDI32(?,00000000), ref: 00C2718A
              • MoveToEx.GDI32 ref: 00C271C4
              • LineTo.GDI32(?,?,?), ref: 00C271D0
              • MoveToEx.GDI32 ref: 00C271DE
              • LineTo.GDI32(?,?,?), ref: 00C271EA
              • EndPath.GDI32 ref: 00C271FA
              • StrokePath.GDI32 ref: 00C27208
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
              • String ID:
              • API String ID: 372113273-0
              • Opcode ID: 09e6b6ac7080fd99d4cdf8ca82e83944a4a9d6fce2ab81f7d6d51fac0da50abe
              • Instruction ID: 8f0859d9395411ce32feb1c701d5c8e68385195c846f3abf234a92ec5f89a138
              • Opcode Fuzzy Hash: 09e6b6ac7080fd99d4cdf8ca82e83944a4a9d6fce2ab81f7d6d51fac0da50abe
              • Instruction Fuzzy Hash: 1E01DF72109614BBE7219B45EC8DFDFBB6CAF4A710F144204FA01A61D1CBB02A05CBB9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF010, Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BEF048
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BEF050
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BEF05B
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BEF066
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BEF06E
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF076
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 5b549e791282d3c5608fdaee00f31c7d4bbda360396dab1eca7a543cb41ceb79
              • Instruction ID: 2e2942b6f31668d0acd30fd1dc1317e838615fbab8ac23599af99453709836d4
              • Opcode Fuzzy Hash: 5b549e791282d3c5608fdaee00f31c7d4bbda360396dab1eca7a543cb41ceb79
              • Instruction Fuzzy Hash: 47016770106B88ADD3309F668C84B47FEF8EF95704F01490DD1D507A52C6B5A84CCB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2B5C7, Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00C2B5E1
              • EnterCriticalSection.KERNEL32(?), ref: 00C2B5F2
              • TerminateThread.KERNEL32(?,000001F6), ref: 00C2B600
              • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 00C2B60E
                • Part of subcall function 00C125E5: CloseHandle.KERNEL32(00000000,00000000,?,00C2B61A,00000000,?,000003E8,?,000001F6), ref: 00C125F3
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C2B623
              • LeaveCriticalSection.KERNEL32(?), ref: 00C2B62A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: f6c51bf592dc69f265740e04a598b8bf0333051bf0a6feaeb0570f8618a658bb
              • Instruction ID: 4e0803a0530fe8f665d31a024fdd0566ba43e2ce1688e91e25e9ffc98a48161f
              • Opcode Fuzzy Hash: f6c51bf592dc69f265740e04a598b8bf0333051bf0a6feaeb0570f8618a658bb
              • Instruction Fuzzy Hash: B9F0AF72541601BBC224AB61EC88FEFB77CFF44761B400126F60182990CBB4A861CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF50DB, Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
              Download Yara Rule
              APIs
              • ___set_flsgetvalue.LIBCMT ref: 00BF50E0
                • Part of subcall function 00BF77D1: TlsGetValue.KERNEL32 ref: 00BF77DA
                • Part of subcall function 00BF77D1: TlsSetValue.KERNEL32(00000000,?,00BF12DC,?,00000001), ref: 00BF77FB
              • ___fls_getvalue@4.LIBCMT ref: 00BF50EB
                • Part of subcall function 00BF77B1: TlsGetValue.KERNEL32 ref: 00BF77BF
              • ___fls_setvalue@8.LIBCMT ref: 00BF50FD
              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00BF5106
              • ExitThread.KERNEL32 ref: 00BF510D
              • __freefls@4.LIBCMT ref: 00BF5129
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
              • String ID:
              • API String ID: 442100245-0
              • Opcode ID: 15e12c8f68826ee35defcd0f5e178014d8475c944757074335327e22cba0c062
              • Instruction ID: 78a3f74b3750860f91edbac9830458ee11d327fdde39666c3fac86a00c91e594
              • Opcode Fuzzy Hash: 15e12c8f68826ee35defcd0f5e178014d8475c944757074335327e22cba0c062
              • Instruction Fuzzy Hash: CBF08274404B08ABD714BF75C949E2E7BD99F4834432084D4BB0487327DE34D84AC7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C283D9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Menu$Item$DrawInfoInsert
              • String ID: 0
              • API String ID: 3076010158-4108050209
              • Opcode ID: 8d2e5d487a116a890264d73f451d4c95ca60d169663cb577344ebb1d93920236
              • Instruction ID: 7987e76e82fde6361f4fbd4096f47ad1c46ec9164f68e4c0548b6bce4484e03c
              • Opcode Fuzzy Hash: 8d2e5d487a116a890264d73f451d4c95ca60d169663cb577344ebb1d93920236
              • Instruction Fuzzy Hash: 6641CE75A01219DFDB20CF9AE884FDAB3B5FF88304F108129F9159B690DB70E949CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C23346, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Handle
              • String ID: nul
              • API String ID: 2519475695-2873401336
              • Opcode ID: 1dd9055719395c9bd3985b76d5237275a36673d37eb00c5a02e542a1e30f992e
              • Instruction ID: 3a305ebeee8e505de1487382ec5c5a46c78ee944064231d84a1140165e49b285
              • Opcode Fuzzy Hash: 1dd9055719395c9bd3985b76d5237275a36673d37eb00c5a02e542a1e30f992e
              • Instruction Fuzzy Hash: 1E31A571600219ABD720DF68EC45BAA77A8EF45320F104649FD60D72D0EB75DB60DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C23253, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00C23281
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Handle
              • String ID: nul
              • API String ID: 2519475695-2873401336
              • Opcode ID: 00139cf072980f7af10dc9a7684c16cc7b46b2c2c345cc918d3ca4daa062ffce
              • Instruction ID: b0f70525db11657363befd0ce5dd00a86925ca02a7fc49054417a4ccd1a530fa
              • Opcode Fuzzy Hash: 00139cf072980f7af10dc9a7684c16cc7b46b2c2c345cc918d3ca4daa062ffce
              • Instruction Fuzzy Hash: 72215131610214ABE720DF68EC45FAAB7A8EF55330F104749FDA0972D0EBB59A50C791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3D435, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00C3D446
              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 00C3D4BC
              • __swprintf.LIBCMT ref: 00C3D4D6
              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 00C3D51A
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: 92f79788286e0aae3313ce689eee843890a6986fa03ff0d4fe45ec4e0fec3b72
              • Instruction ID: 26cee97fa8f94ba7e9a64c5e377c9b37598a8ede79dc405251e1d64277cc15b2
              • Opcode Fuzzy Hash: 92f79788286e0aae3313ce689eee843890a6986fa03ff0d4fe45ec4e0fec3b72
              • Instruction Fuzzy Hash: FA314D75A10209AFCB14EF95D885EAEB7F8FF48300F1085A5E505AB351D774EE05CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C412A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE2390: _wcslen.LIBCMT ref: 00BE239D
                • Part of subcall function 00BE2390: _memmove.LIBCMT ref: 00BE23C3
                • Part of subcall function 00C16406: SendMessageTimeoutW.USER32 ref: 00C16425
                • Part of subcall function 00C16406: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C16438
                • Part of subcall function 00C16406: GetCurrentThreadId.KERNEL32 ref: 00C1643F
                • Part of subcall function 00C16406: AttachThreadInput.USER32(00000000), ref: 00C16446
              • GetFocus.USER32 ref: 00C412C7
                • Part of subcall function 00C16451: GetParent.USER32(?), ref: 00C1645F
                • Part of subcall function 00C16451: GetParent.USER32(?), ref: 00C1646B
              • GetClassNameW.USER32 ref: 00C41310
              • EnumChildWindows.USER32 ref: 00C4133B
              • __swprintf.LIBCMT ref: 00C41354
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
              • String ID: %s%d
              • API String ID: 2645982514-1110647743
              • Opcode ID: 9466c758d77c84a702965418fafcb5f111321d59babaf49565bb5f64061a3864
              • Instruction ID: 44967724827699a73e4558885adb2b27e02590b213e2a0687b9750af2409e318
              • Opcode Fuzzy Hash: 9466c758d77c84a702965418fafcb5f111321d59babaf49565bb5f64061a3864
              • Instruction Fuzzy Hash: 00219D71500718ABC620EF69DC86FEBB3ACEF46710F00805AF96993241CA70A9459B70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4A645, Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • RegConnectRegistryW.ADVAPI32 ref: 00C4A72B
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ConnectRegistry_memmove_wcslen
              • String ID:
              • API String ID: 15295421-0
              • Opcode ID: c5b803c765c78e6e8da2440063996ed067655b28285acf41640467dda5020a6f
              • Instruction ID: 3f649d65774bb7693d6b86c74bd5570d2faf59ea46cd7cd7f062824846267f42
              • Opcode Fuzzy Hash: c5b803c765c78e6e8da2440063996ed067655b28285acf41640467dda5020a6f
              • Instruction Fuzzy Hash: 40513675248341AFD714EF65C881F6AB7F8BF88700F108A5DF6958B291DB74EA04CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2C2F0, Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00C2C348
              • SetKeyboardState.USER32(00000080), ref: 00C2C36C
              • PostMessageW.USER32 ref: 00C2C3B0
              • PostMessageW.USER32 ref: 00C2C3E8
              • SendInput.USER32(00000001,?,0000001C), ref: 00C2C475
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: KeyboardMessagePostState$InputSend
              • String ID:
              • API String ID: 3031425849-0
              • Opcode ID: c6414069b188dcaea28c216c42856169b2021fada25e829101b7cd08b171b22b
              • Instruction ID: c8ace0096f5edad2c53b8ee38a4d6624a59ad65dd3287b66a3bbbacbc176cc6e
              • Opcode Fuzzy Hash: c6414069b188dcaea28c216c42856169b2021fada25e829101b7cd08b171b22b
              • Instruction Fuzzy Hash: E64157725002586ADB20DF69E8C5BFE7B68AF47320F008556FD949A182C275CA55EBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4444F, Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 00C4449A
              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?), ref: 00C44534
              • GetProcAddress.KERNEL32(?,00000000,?,?,?), ref: 00C44553
              • GetProcAddress.KERNEL32(?,?,?,?,00000041,?,?,?), ref: 00C44597
              • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C445B9
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc$Library$FreeLoad
              • String ID:
              • API String ID: 2449869053-0
              • Opcode ID: f9497f870e24f2b5d2960298db82b2e20ad041c40c46f4a352194d9cf8953c5f
              • Instruction ID: 4029e610c71ab13280d828d9a1954c6fb64d64a8b7643c796e17f861ef4371d6
              • Opcode Fuzzy Hash: f9497f870e24f2b5d2960298db82b2e20ad041c40c46f4a352194d9cf8953c5f
              • Instruction Fuzzy Hash: 905149B56002449FCB14EF65C885BAEB7B9FF48310F248599E915AB351CB74EE42CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C36308, Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AsyncState$ClientCursorLongScreenWindow
              • String ID:
              • API String ID: 3539004672-0
              • Opcode ID: bf1c3ff06e7248e0eb75d5f8ea214538712eba5886a7d83a8613851ec9d35844
              • Instruction ID: d662036e15366fec8983cf9c598bfc32e24d110c1f676c0ec2bb23079d97cfd1
              • Opcode Fuzzy Hash: bf1c3ff06e7248e0eb75d5f8ea214538712eba5886a7d83a8613851ec9d35844
              • Instruction Fuzzy Hash: E4410975914214BFDB24CF65C884EEBBBB8EF45320F248649F86697290CB70AA40DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5D3C9, Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
              Download Yara Rule
              APIs
              • InterlockedIncrement.KERNEL32(00C87F04), ref: 00C5D3F2
              • InterlockedDecrement.KERNEL32(00C87F04), ref: 00C5D407
              • Sleep.KERNEL32(?), ref: 00C5D40F
              • InterlockedIncrement.KERNEL32(00C87F04), ref: 00C5D41A
              • InterlockedDecrement.KERNEL32(00C87F04), ref: 00C5D524
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Interlocked$DecrementIncrement$Sleep
              • String ID:
              • API String ID: 327565842-0
              • Opcode ID: 682582ce2155fb2f0ac7a5a1cfcae09a978bdc02960b65f8c84addcbbc3d4eb6
              • Instruction ID: aaa527a48bac90a090b27215058f5da7313a8a041ac2756a3ea160210d74c93b
              • Opcode Fuzzy Hash: 682582ce2155fb2f0ac7a5a1cfcae09a978bdc02960b65f8c84addcbbc3d4eb6
              • Instruction Fuzzy Hash: 9941C87560420A9BCB11EFA6CCC9BAE77B4FB44301F104269FA16A7351E730ED89CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3C3AE, Relevance: 7.6, APIs: 5, Instructions: 118COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32 ref: 00C3C43C
              • GetPrivateProfileSectionW.KERNEL32 ref: 00C3C464
              • WritePrivateProfileSectionW.KERNEL32 ref: 00C3C4B0
              • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 00C3C4D4
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C3C4E3
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: PrivateProfile$SectionWrite$String
              • String ID:
              • API String ID: 2832842796-0
              • Opcode ID: 909576bb4724e86eeda4af12c5bc7200c1aecb2cd9016afa9c1030e1e9dcefad
              • Instruction ID: 6aed372f09fe75c30a1ca7c698acd37fe555848fd5a0b63aad813d468b51ff58
              • Opcode Fuzzy Hash: 909576bb4724e86eeda4af12c5bc7200c1aecb2cd9016afa9c1030e1e9dcefad
              • Instruction Fuzzy Hash: 8F4165B5A00209BBDB10EBA5DC85FAEB3A8FF44304F048598F905AB251DB74EE45CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C277D0, Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00C27806
              • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 00C27820
              • DefDlgProcW.USER32(?,0000007B,?,?), ref: 00C27841
              • GetCursorPos.USER32(00000000), ref: 00C2788E
              • TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 00C278B5
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CursorMenuPopupTrack$Proc
              • String ID:
              • API String ID: 1300944170-0
              • Opcode ID: 731dbb812ed9b3f285d87fee513abfa93efb28017c25bcdc7fec016211a7b4a9
              • Instruction ID: 0205f289e91d0ff0be5fd23413616de06718bcb678bf604e8e9766bab467d95f
              • Opcode Fuzzy Hash: 731dbb812ed9b3f285d87fee513abfa93efb28017c25bcdc7fec016211a7b4a9
              • Instruction Fuzzy Hash: 76312435600118AFD720CF58EC88FEA7778EF89311F104255FA15972D1DBB16D42CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C35071, Relevance: 7.6, APIs: 5, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d24967395cfcaead90f77c1180567991aa679235ab84dea03c6446239334058
              • Instruction ID: ff86c2ce9ee142c237483c57fb9be131fa5af307b92ccd154cdb9e007059a7e2
              • Opcode Fuzzy Hash: 3d24967395cfcaead90f77c1180567991aa679235ab84dea03c6446239334058
              • Instruction Fuzzy Hash: DF21A1B5210A019BCB24EF25D8C4E6AB7B8FF89360F044669FD5187395DB30ED05CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C45005, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C44E62: inet_addr.WSOCK32(?), ref: 00C44E86
              • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00C4503B
              • WSAGetLastError.WSOCK32(00000000), ref: 00C4504A
              • connect.WSOCK32(00000000,?,00000010), ref: 00C45083
              • WSAGetLastError.WSOCK32(00000000), ref: 00C450AA
              • closesocket.WSOCK32(00000000,00000000), ref: 00C450BE
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 245547762-0
              • Opcode ID: 56dcf4cef570e753d0d93f7f6b1560fc5f5cb518d4007a61351d44906c528b2d
              • Instruction ID: 2afbedd15bcf36a29753b72b771d0f909c65bd6bc0ece83593d26dc3d2de2b67
              • Opcode Fuzzy Hash: 56dcf4cef570e753d0d93f7f6b1560fc5f5cb518d4007a61351d44906c528b2d
              • Instruction Fuzzy Hash: B821A232200504AFD320EF69DC49F6EB7E8FF55720F148649F955D72D2CBB0A9418BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C270BF, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32 ref: 00C270FC
              • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00C2713C
              • SelectObject.GDI32(?,00000000), ref: 00C2714C
              • BeginPath.GDI32 ref: 00C27161
              • SelectObject.GDI32(?,00000000), ref: 00C2718A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Object$Select$BeginCreateDeletePath
              • String ID:
              • API String ID: 2338827641-0
              • Opcode ID: 004ab3ffae632da27cf873d382f50640ec93e68bd78548644b3857ebd5e17c2d
              • Instruction ID: ce689d1a64a1e6fc476368485889b8bb3de6986625998f7f9cc77202e8cc109c
              • Opcode Fuzzy Hash: 004ab3ffae632da27cf873d382f50640ec93e68bd78548644b3857ebd5e17c2d
              • Instruction Fuzzy Hash: 8D21AA71805215ABC720CF69FD84B9E7BACEF05310F500216F924D39A0EB749954CBA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BFF619, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00BFF627
                • Part of subcall function 00BF34DB: __FF_MSGBANNER.LIBCMT ref: 00BF34F4
                • Part of subcall function 00BF34DB: __NMSG_WRITE.LIBCMT ref: 00BF34FB
                • Part of subcall function 00BF34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00BF6A35,?,00000001,?,?,00BF8179,00000018,00C6D180,0000000C,00BF8209), ref: 00BF3520
              • _free.LIBCMT ref: 00BFF63A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: e63d3385277870645a65a8864072d2f5ed9aa43abf06f53e6089829ab991c821
              • Instruction ID: f456082b4c897d2337b0fee60fa1205ec692f683d48f8e9317066b758638df2c
              • Opcode Fuzzy Hash: e63d3385277870645a65a8864072d2f5ed9aa43abf06f53e6089829ab991c821
              • Instruction Fuzzy Hash: 5D11823294461EBACB212B74A80577A37D8DF447A1B2044F6FA48DB261DF748C88C664
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14569, Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00C1457F
              • QueryPerformanceCounter.KERNEL32(?), ref: 00C1459C
              • Sleep.KERNEL32(00000000), ref: 00C145BB
              • QueryPerformanceCounter.KERNEL32(?), ref: 00C145C5
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 570a40842253aaaffe0ff9bd354f6bd3b08f4fc09bda5dbec2e308b908ffbba0
              • Instruction ID: bdda4c916f4c4271ad02a3d62c70fd3c236d4fd29eebfbdc53dffa65c0c04be8
              • Opcode Fuzzy Hash: 570a40842253aaaffe0ff9bd354f6bd3b08f4fc09bda5dbec2e308b908ffbba0
              • Instruction Fuzzy Hash: 97119072D0051DD7CF14DF9AED48BEEBB78FF56311F004196EA0072240CA709AA19BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF50CF, Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF1810: _doexit.LIBCMT ref: 00BF181C
              • ___set_flsgetvalue.LIBCMT ref: 00BF50E0
                • Part of subcall function 00BF77D1: TlsGetValue.KERNEL32 ref: 00BF77DA
                • Part of subcall function 00BF77D1: TlsSetValue.KERNEL32(00000000,?,00BF12DC,?,00000001), ref: 00BF77FB
              • ___fls_getvalue@4.LIBCMT ref: 00BF50EB
                • Part of subcall function 00BF77B1: TlsGetValue.KERNEL32 ref: 00BF77BF
              • ___fls_setvalue@8.LIBCMT ref: 00BF50FD
              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00BF5106
              • ExitThread.KERNEL32 ref: 00BF510D
              • __freefls@4.LIBCMT ref: 00BF5129
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
              • String ID:
              • API String ID: 4247068974-0
              • Opcode ID: 8c0e91d53e9a5815cdb480cf6bdf80c464f387b1b7afba21912ce685eb585701
              • Instruction ID: 865ef5957f621a0f07f356945f70679cfd180a206fd814e2939312d064685287
              • Opcode Fuzzy Hash: 8c0e91d53e9a5815cdb480cf6bdf80c464f387b1b7afba21912ce685eb585701
              • Instruction Fuzzy Hash: 25E08C3485460DABDF2037B69D0EF7E3AEC9E00780B1008E0BB00A3122EE289D188761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C58357, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C22654: _wcslen.LIBCMT ref: 00C22680
              • CoInitialize.OLE32(00000000), ref: 00C583FC
              • CoCreateInstance.OLE32(00C62A08,00000000,00000001,00C628A8,?), ref: 00C58415
              • CoUninitialize.OLE32 ref: 00C585F6
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_wcslen
              • String ID: .lnk
              • API String ID: 886957087-24824748
              • Opcode ID: 12c7ef9baad9bacdb9ca5b905daec8ae0b8a4ed25c704ac5537fdf9c9e1e1a7c
              • Instruction ID: 7c64979e3808dd207212239eddfc911dc9a7bffc31fca39d2d5b2be76941ae9f
              • Opcode Fuzzy Hash: 12c7ef9baad9bacdb9ca5b905daec8ae0b8a4ed25c704ac5537fdf9c9e1e1a7c
              • Instruction Fuzzy Hash: 22810B75344340AFD210EB54CC82F5AB3E5AF88714F148968FA58AB2E1D7B1ED49CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C16528, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C14300: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00C14331
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C16579
                • Part of subcall function 00C142C4: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00C142F5
                • Part of subcall function 00C14394: GetWindowThreadProcessId.USER32(?,?), ref: 00C143C7
                • Part of subcall function 00C14394: OpenProcess.KERNEL32(00000438,00000000,?), ref: 00C143D8
                • Part of subcall function 00C14394: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00C143EF
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C165E9
              • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00C16669
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @
              • API String ID: 4150878124-2766056989
              • Opcode ID: 5c5a5c60844ff904984dc140aa85240f012ae2cb0af808d41f74dd3ae9e0f969
              • Instruction ID: 86f7c1aae8e6628fd1281f82b9227ebc3684181322fbba8ff2a5c83afcd5a0c2
              • Opcode Fuzzy Hash: 5c5a5c60844ff904984dc140aa85240f012ae2cb0af808d41f74dd3ae9e0f969
              • Instruction Fuzzy Hash: 6F518C76A002186FCB14DFA4DD86FEEB778EF8A300F004595F745EB141D6B0AA45DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2A79A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2A7BE
              • HttpSendRequestW.WININET ref: 00C2A80D
              • HttpQueryInfoW.WININET ref: 00C2A845
                • Part of subcall function 00C22252: GetLastError.KERNEL32 ref: 00C22268
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3705125965-3916222277
              • Opcode ID: 9ffecbc345c39fff246c1eb46b1f9284eddda45f4b8480d8bf02ea647519787f
              • Instruction ID: 0f4689951b43209095477e0ad6a1defe8fe6ecce0d0d41888228aec0095c4d9a
              • Opcode Fuzzy Hash: 9ffecbc345c39fff246c1eb46b1f9284eddda45f4b8480d8bf02ea647519787f
              • Instruction Fuzzy Hash: 16314B36A412147BD720EF55EC42FDFB3BCDB96B10F00811AFA14972C0DAB4A50997E5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C15223, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BF14F7: _malloc.LIBCMT ref: 00BF1511
              • CLSIDFromString.OLE32(?,00000000), ref: 00C15244
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C15293
              • SafeArrayUnaccessData.OLEAUT32 ref: 00C152C2
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
              • String ID: crts
              • API String ID: 943502515-3724388283
              • Opcode ID: 60a616da0cbcc60b9246e519c7a44108486253a24d81623ae69bee30fd0f3753
              • Instruction ID: 3ecefd0e73c94ebdbe13b49c983b441940db76b6b8073c008a94204fb0a93ed4
              • Opcode Fuzzy Hash: 60a616da0cbcc60b9246e519c7a44108486253a24d81623ae69bee30fd0f3753
              • Instruction Fuzzy Hash: E8214D76600A00DFC314CF8AE484DA6FBE8EF99761714C42AE959CB721D330E891DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C111F9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00C1120B
              • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 00C1121D
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: ICMP.DLL$IcmpSendEcho
              • API String ID: 2574300362-58917771
              • Opcode ID: eabc58a6e946b900edaee36494205153448b57371e00398443d0dedba1fb5a67
              • Instruction ID: 35223e4bad775eda1195129794d986e319814e39ba311b4969d040deb2ad90ae
              • Opcode Fuzzy Hash: eabc58a6e946b900edaee36494205153448b57371e00398443d0dedba1fb5a67
              • Instruction Fuzzy Hash: 35E012B19407069BD7305F96E84874A77DCDB15791B044439ED55D2760DBB4E8C086A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1125D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00C1126F
              • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00C11281
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: ICMP.DLL$IcmpCreateFile
              • API String ID: 2574300362-275556492
              • Opcode ID: 7111bdf41bd9efa7a1b01fad512813d4a261e7177ca39648545ebb8ff3e23d69
              • Instruction ID: 27ad6279e04fc74f687fd9da2472ed53ce95d769e454b453002b28fd12ada2ac
              • Opcode Fuzzy Hash: 7111bdf41bd9efa7a1b01fad512813d4a261e7177ca39648545ebb8ff3e23d69
              • Instruction Fuzzy Hash: B5E0C2B05007069FC7305F52D80874677DCAB14351B004039E951D2320DBB4E8C08BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1122B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00C1123D
              • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 00C1124F
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: ICMP.DLL$IcmpCloseHandle
              • API String ID: 2574300362-3530519716
              • Opcode ID: 23997486dcbe4a2e21e18ee198dc973fcb2c82bdb51f3bc1eefcbf47839658ca
              • Instruction ID: c81c7d0046d40f6ca600e702bf1385c3f320787e3b58ca0298523fac5e6998e6
              • Opcode Fuzzy Hash: 23997486dcbe4a2e21e18ee198dc973fcb2c82bdb51f3bc1eefcbf47839658ca
              • Instruction Fuzzy Hash: 11E012B1540706DBD7305F56D84C78677DC9F21751B044439EA55D2760DBF4E8C087A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5812C, Relevance: 6.2, APIs: 4, Instructions: 176COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • SetErrorMode.KERNEL32 ref: 00C58188
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C58341
                • Part of subcall function 00C1397D: GetFileAttributesW.KERNEL32(?), ref: 00C13984
              • SetErrorMode.KERNEL32(?), ref: 00C5822A
              • SetErrorMode.KERNEL32(?), ref: 00C582FA
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorMode$AttributesFile_memmove_wcslen
              • String ID:
              • API String ID: 3884216118-0
              • Opcode ID: 8c5acd4469886fd9978ac93024b0d9dc91f20516ce80d0112eeebe5840f7ff13
              • Instruction ID: 3178a7cb2f11cfa234ec462b110f8cd261591fd570441a928a8d0cdd217c44f1
              • Opcode Fuzzy Hash: 8c5acd4469886fd9978ac93024b0d9dc91f20516ce80d0112eeebe5840f7ff13
              • Instruction Fuzzy Hash: 55616BB16043819BC310EF25C881A5FB7E4BF88714F04896DF9996B351C772ED49CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C594BA, Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32 ref: 00C594C9
              • SysAllocString.OLEAUT32(00000000), ref: 00C59592
              • VariantCopy.OLEAUT32(?,?), ref: 00C595C9
              • VariantClear.OLEAUT32(?), ref: 00C5960A
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 5d765931d36672d654c2c16efeceb1a459eb7e05e2f628585f2e8b7c4cbc122d
              • Instruction ID: a2bb973e7f76016b209f6364305a6e9bf5be7922a610b5e33a941e8be6f9abae
              • Opcode Fuzzy Hash: 5d765931d36672d654c2c16efeceb1a459eb7e05e2f628585f2e8b7c4cbc122d
              • Instruction Fuzzy Hash: 8D51F93960020AA7CB00FF6AD8416AE77A4EF84351F508566FD08D7252DF30DA5DD7E6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF407F, Relevance: 6.1, APIs: 4, Instructions: 130COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
              • Instruction ID: 795f4cc0746228571ba0a5db01536de4e574df678f5c7506c1ba39f5a2e4a5f0
              • Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
              • Instruction Fuzzy Hash: A741B531A0060C9BDB249F79C8846BFBBF5EF90760F2485A9E715A7250DB70DE98CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C215F9, Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 63596ef14aea975053091bb742866470b6c11771fb0a2a37feb4ca585d004add
              • Instruction ID: 1d2a37927a5722aadd8c7ef0f86d259a5c1f58c22b5db40ab415a3e0f98e7fc6
              • Opcode Fuzzy Hash: 63596ef14aea975053091bb742866470b6c11771fb0a2a37feb4ca585d004add
              • Instruction Fuzzy Hash: AD4182756002289FC715CF59E884FADB7B6FFA5710F1882A9FD158B750D730A941CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3D19C, Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C3D235
              • GetLastError.KERNEL32(?,00000000), ref: 00C3D259
              • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 00C3D279
              • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C3D297
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: 2a3e27e0b18235cba3c886b60961ae97a2d6e56071ad7540d3d4d1a0bffdf08c
              • Instruction ID: e09d373880a8277b894349d906b0fcefa44216b694932c6cc2ef46ae3d0e03fb
              • Opcode Fuzzy Hash: 2a3e27e0b18235cba3c886b60961ae97a2d6e56071ad7540d3d4d1a0bffdf08c
              • Instruction Fuzzy Hash: FE318EB1910201ABCB10EFA6D989A6EB7E8FF45310F148949FC54AB311CB75EE46DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C30311, Relevance: 6.1, APIs: 4, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00C3033E
              • DefDlgProcW.USER32(?,00000138,?,?), ref: 00C3038D
              • DefDlgProcW.USER32(?,00000133,?,?), ref: 00C303DC
              • DefDlgProcW.USER32(?,00000134,?,?), ref: 00C3040D
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Proc$Parent
              • String ID:
              • API String ID: 2351499541-0
              • Opcode ID: 82f6bb4bccc353a7f09151dba9c4cd6701f2635a08acbf6f4cbe9777ad35d376
              • Instruction ID: dfbb87ab7002f56c84c652da2c1642765c9150ef4c56cdce5b3671db5b6d883a
              • Opcode Fuzzy Hash: 82f6bb4bccc353a7f09151dba9c4cd6701f2635a08acbf6f4cbe9777ad35d376
              • Instruction Fuzzy Hash: 6631C4372101046FC770DF69EC98EAB7728EF85335F244216F6658B2E2CBB19A46D760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C54345, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00C54356
                • Part of subcall function 00C238C5: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C238E8
                • Part of subcall function 00C238C5: GetCurrentThreadId.KERNEL32 ref: 00C238EF
                • Part of subcall function 00C238C5: AttachThreadInput.USER32(00000000), ref: 00C238F6
              • GetCaretPos.USER32(?), ref: 00C5436C
              • ClientToScreen.USER32 ref: 00C543A2
              • GetForegroundWindow.USER32 ref: 00C543A8
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 11d43eb1a13c77fc9da8c0d58e0855b60680d691f26ef0f45205c289e44d24a8
              • Instruction ID: 0ae34991d110255403eb34b307153bdbac44b7c0f888b81f6b32c8e4491f47f7
              • Opcode Fuzzy Hash: 11d43eb1a13c77fc9da8c0d58e0855b60680d691f26ef0f45205c289e44d24a8
              • Instruction Fuzzy Hash: FA219571A00305BBDB10EFA5CC86B9EB3E8AF44704F144459FA15BB282D7B5A9848BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5A224, Relevance: 6.1, APIs: 4, Instructions: 78COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C4F356: IsWindow.USER32(00000000), ref: 00C4F386
              • GetWindowLongW.USER32 ref: 00C5A299
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C5A2B4
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C5A2CC
              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 00C5A2DB
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Long$AttributesLayered
              • String ID:
              • API String ID: 2169480361-0
              • Opcode ID: eb75fe3a748af392e9774030309782c515b97bedc8c7ddd352ae094884c2eb43
              • Instruction ID: fe7ec52491f713bd615969243d3a53262cae8e6708be77d6cd5839d76ae3112b
              • Opcode Fuzzy Hash: eb75fe3a748af392e9774030309782c515b97bedc8c7ddd352ae094884c2eb43
              • Instruction Fuzzy Hash: 9A21DF32205514BFD310AB2AEC45FABBB98FF81330F244219F819D72A1C771AC85C7A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4C57B, Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C3875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,00C46CC2,?,00C53B72,00C53B72,?), ref: 00C3877B
              • gethostbyname.WSOCK32(?,00000000,?,?), ref: 00C4C5A6
              • WSAGetLastError.WSOCK32(00000000), ref: 00C4C5B2
              • _memmove.LIBCMT ref: 00C4C5EE
              • inet_ntoa.WSOCK32(?), ref: 00C4C5FA
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 2502553879-0
              • Opcode ID: 3924043fb7c74b9d7faad4bc8f925a62d9464a6608277af0f27a26f8ab19e069
              • Instruction ID: a2a308eb355278e6db4c10045f6a06848df6db5541efbafda0a5db1f9431060c
              • Opcode Fuzzy Hash: 3924043fb7c74b9d7faad4bc8f925a62d9464a6608277af0f27a26f8ab19e069
              • Instruction Fuzzy Hash: C5212176A10204ABCB14FBA5DC85DAFB7FCEF48310B104595F905A7242DB35EE0587A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C10165, Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32 ref: 00C101AF
              • GetStockObject.GDI32 ref: 00C101C5
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C101CF
              • ShowWindow.USER32(00000000,00000000), ref: 00C101EA
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CreateMessageObjectSendShowStock
              • String ID:
              • API String ID: 1358664141-0
              • Opcode ID: 9582f92b2cf52abeecba3dc30e7548532fca81e4cb56d55c9d0b21b998bb96b5
              • Instruction ID: c565305d105354b0af497fcb32ffe94387cac137ae01cabf7b4b83872a746ef1
              • Opcode Fuzzy Hash: 9582f92b2cf52abeecba3dc30e7548532fca81e4cb56d55c9d0b21b998bb96b5
              • Instruction Fuzzy Hash: C8113372240904BBD725CF59DC45FDFB769AF89B10F248209FA18932A0D7B4EC91CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2B574, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 00C2B581
              • InterlockedExchange.KERNEL32(?,?), ref: 00C2B58F
              • LeaveCriticalSection.KERNEL32(?), ref: 00C2B5A6
              • LeaveCriticalSection.KERNEL32(?), ref: 00C2B5B8
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
              • String ID:
              • API String ID: 2223660684-0
              • Opcode ID: 9bccf02796099458a34a69ab4c7af85378c0a58947c1856a01166f3ff6bfbbc3
              • Instruction ID: b6ef0f6e4cae182d43fb1e14f55c3a6909d3f3474f41a7a2bc0c87f5cd4bdacd
              • Opcode Fuzzy Hash: 9bccf02796099458a34a69ab4c7af85378c0a58947c1856a01166f3ff6bfbbc3
              • Instruction Fuzzy Hash: 64F05E36242514AF86245B56FC58ADBB3ACEB99731300462BE541C391087A2F845CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C27215, Relevance: 6.0, APIs: 4, Instructions: 35COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C270BF: DeleteObject.GDI32 ref: 00C270FC
                • Part of subcall function 00C270BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00C2713C
                • Part of subcall function 00C270BF: SelectObject.GDI32(?,00000000), ref: 00C2714C
                • Part of subcall function 00C270BF: BeginPath.GDI32 ref: 00C27161
                • Part of subcall function 00C270BF: SelectObject.GDI32(?,00000000), ref: 00C2718A
              • MoveToEx.GDI32 ref: 00C2723B
              • LineTo.GDI32(?,?,?), ref: 00C2724A
              • EndPath.GDI32 ref: 00C2725A
              • StrokePath.GDI32 ref: 00C27268
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
              • String ID:
              • API String ID: 2783949968-0
              • Opcode ID: b68651983791d5e46d0214a356f277ab7139f00c9deaec52d3a8225a8de2d219
              • Instruction ID: 8f8df804d32bc11fed3413ef968ccc35959561df27e1d7758d624db727ee18b9
              • Opcode Fuzzy Hash: b68651983791d5e46d0214a356f277ab7139f00c9deaec52d3a8225a8de2d219
              • Instruction Fuzzy Hash: F3F09070109668BBE7219F15EC49FAE3B5CAF06310F108200FD11622D2CBB46E41CBB5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C16406, Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32 ref: 00C16425
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C16438
              • GetCurrentThreadId.KERNEL32 ref: 00C1643F
              • AttachThreadInput.USER32(00000000), ref: 00C16446
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: d8d763a6ad7cf778577b224d4e74e1105b25f79150a02f9787d8d7a781e558a3
              • Instruction ID: 3af1f0809a83c1b9abbdc56e7de5d9a6b78abb6ff9705d062fdcb445fb3d70d9
              • Opcode Fuzzy Hash: d8d763a6ad7cf778577b224d4e74e1105b25f79150a02f9787d8d7a781e558a3
              • Instruction Fuzzy Hash: 1EF0927128471476EB31ABA29C0EFDE375CAB15B11F54C001F701AA0C0C6F4E64087A9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BF506D, Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
              Download Yara Rule
              APIs
              • __getptd_noexit.LIBCMT ref: 00BF5070
                • Part of subcall function 00BF7913: GetLastError.KERNEL32(00000003,?,00BF7994,?,00BF1259,?,?,00BF12DC,?,00000001), ref: 00BF7917
                • Part of subcall function 00BF7913: ___set_flsgetvalue.LIBCMT ref: 00BF7925
                • Part of subcall function 00BF7913: __calloc_crt.LIBCMT ref: 00BF7939
                • Part of subcall function 00BF7913: GetCurrentThreadId.KERNEL32 ref: 00BF7969
                • Part of subcall function 00BF7913: SetLastError.KERNEL32(00000000,?,00BF12DC,?,00000001), ref: 00BF7981
              • CloseHandle.KERNEL32(?,?,00BF50BB), ref: 00BF5084
              • __freeptd.LIBCMT ref: 00BF508B
              • ExitThread.KERNEL32 ref: 00BF5093
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
              • String ID:
              • API String ID: 1454798553-0
              • Opcode ID: 4d863f79fbad027aa8264187602379ab93ab78028c71d37720f2b625e6c33959
              • Instruction ID: 57ee61754cc2d95d71a98d8b6c870eaa10441848c845bfe964d92e45d641334f
              • Opcode Fuzzy Hash: 4d863f79fbad027aa8264187602379ab93ab78028c71d37720f2b625e6c33959
              • Instruction Fuzzy Hash: 3FD0A731405D1417C1312334480DF2E22D9DF40731B150B94F725C72E1CFA4CD4646E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C0F2DF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _strncmp
              • String ID: Q\E
              • API String ID: 909875538-2189900498
              • Opcode ID: a29aba9b5c4ffb9204338502343d1c31c4d0e7864241376bd56c526fca6f39d0
              • Instruction ID: bb6effefff464e767b537cabc6d5dadaf21bbe85b742769750e7e791918a4b63
              • Opcode Fuzzy Hash: a29aba9b5c4ffb9204338502343d1c31c4d0e7864241376bd56c526fca6f39d0
              • Instruction Fuzzy Hash: ACC1B0709042599BDF318F5884503AABBB5AF1A710F6841AEE8F493AD5D3719FC3DB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C46362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BEF260: _wcslen.LIBCMT ref: 00BEF262
                • Part of subcall function 00BEF260: _wcscpy.LIBCMT ref: 00BEF282
              • __wcsnicmp.LIBCMT ref: 00C463D5
              • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 00C4647B
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Connection__wcsnicmp_wcscpy_wcslen
              • String ID: LPT
              • API String ID: 3035604524-1350329615
              • Opcode ID: 3ae83abc408506cb7485f948fbbd4fe24f7cee34e2f53afbe82e3a767c64cad6
              • Instruction ID: e2bb41fdb605403aed4c9662db8f7a5c947ee96021452d7ebbcbadf042aba140
              • Opcode Fuzzy Hash: 3ae83abc408506cb7485f948fbbd4fe24f7cee34e2f53afbe82e3a767c64cad6
              • Instruction Fuzzy Hash: 5E51C1B5A00204ABCB20DFA5CC81FAEB7F5FB86700F108599F5169B245DB70EE45CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C282B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C2839F
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C283B8
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend
              • String ID: '
              • API String ID: 3850602802-1997036262
              • Opcode ID: 2b687f5f56d79a3efdd7d3b3ab2d272e55dbc9db04c1642985a47237f19bc888
              • Instruction ID: 0b72e20423c23bf69e78363261f9a5533fddc10590bdacc09107bc82d5ab1d66
              • Opcode Fuzzy Hash: 2b687f5f56d79a3efdd7d3b3ab2d272e55dbc9db04c1642985a47237f19bc888
              • Instruction Fuzzy Hash: B6418D75A002199FCB04CF98E880BEEB7B5FF48700F14816AE915AB755DB70A905DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
              Download Yara Rule
              APIs
              • _strlen.LIBCMT ref: 00BEF548
                • Part of subcall function 00BEF570: _memmove.LIBCMT ref: 00BEF5B9
                • Part of subcall function 00BEF570: _memmove.LIBCMT ref: 00BEF5D3
              • _sprintf.LIBCMT ref: 00BEF69E
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove$_sprintf_strlen
              • String ID: %02X
              • API String ID: 1921645428-436463671
              • Opcode ID: a4bb588077b3a0d2627205a8d3e8ebed2dd19e2f4e8d0a4c1724a321a1fbfdd6
              • Instruction ID: f3da31edee1174956c95c1a19a7d73bd3556ff7d9986d507711a2a44f7aeb43c
              • Opcode Fuzzy Hash: a4bb588077b3a0d2627205a8d3e8ebed2dd19e2f4e8d0a4c1724a321a1fbfdd6
              • Instruction Fuzzy Hash: E321D77270025937DB10A769CC82BBBB3DCEF91700F1041B6F64697282EB64AE19C3A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C31297, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00C312C0
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C312D0
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 2abf2e2a53980adb544f118e32d6ed19c9b1dc7d2104b179f4f0665d62b2f1ca
              • Instruction ID: 0879de627e1d7d91fcc954cbed58f9d31e2ed26c93b05b4f45faf953c50eaf19
              • Opcode Fuzzy Hash: 2abf2e2a53980adb544f118e32d6ed19c9b1dc7d2104b179f4f0665d62b2f1ca
              • Instruction Fuzzy Hash: 4A215E72510605ABDB209EA9DC80FEB33ADEB99334F144315FE64D72D0C6B5DC819BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00BEF570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: _memmove
              • String ID: ?T
              • API String ID: 4104443479-3504941901
              • Opcode ID: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
              • Instruction ID: 5d52aab99bf15db7c3153b01fd0fa54d80b334da56ec03e7ae69c14d9c5ff51f
              • Opcode Fuzzy Hash: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
              • Instruction Fuzzy Hash: E8117FB251021AAFC704DFA9DCC09BE73E8AB54344B5045B9EA06C7641E731FE15D7D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C224F3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: InternetOpen
              • String ID: <local>
              • API String ID: 2038078732-4266983199
              • Opcode ID: 62dc4ff7bf39300837d73910269338bbf080ad4743901c52b9d32f494bbb25d5
              • Instruction ID: c3043fa95e4b2cab0044ee22a69d33c44c35dda344308692b41f19a9e18a477e
              • Opcode Fuzzy Hash: 62dc4ff7bf39300837d73910269338bbf080ad4743901c52b9d32f494bbb25d5
              • Instruction Fuzzy Hash: 4911E970580724BBE730CB54DC56FBAB3A8EB14700F10C01AF9926B9C0D6B0BA44D751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4907F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BE1D10: _wcslen.LIBCMT ref: 00BE1D11
                • Part of subcall function 00BE1D10: _memmove.LIBCMT ref: 00BE1D57
              • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00C490EB
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend_memmove_wcslen
              • String ID: ComboBox$ListBox
              • API String ID: 547829025-1403004172
              • Opcode ID: 7abeaf3d864d093457da2f93884b1277df95b2b84721b3715cebdfe380d80a04
              • Instruction ID: b473d5c79872a856090ae27396191a50309c285dab3fb56e5a00c93a6d4dfaa6
              • Opcode Fuzzy Hash: 7abeaf3d864d093457da2f93884b1277df95b2b84721b3715cebdfe380d80a04
              • Instruction Fuzzy Hash: D6012D71B1016877CB14BAAE9C45BDFBB9DEF45320F0080A7FA1897283C970DA4883E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 2f9f2e3b68b6916fe66673ba89c797ad8d0149d19d274ba2096103e7d2a48734
              • Instruction ID: 3a7e9d3c9cedbe6d6d5ee80d974a17bcba32228ac72dbb6901e071b644187857
              • Opcode Fuzzy Hash: 2f9f2e3b68b6916fe66673ba89c797ad8d0149d19d274ba2096103e7d2a48734
              • Instruction Fuzzy Hash: 5C01F9319042187BCB18DB988C56AFEBBF4DF55301F048599F69693281D574AB1CC7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1704A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32 ref: 00C17058
                • Part of subcall function 00BF17FA: _doexit.LIBCMT ref: 00BF1806
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.514267610.0000000000BE1000.00000020.00020000.sdmp, Offset: 00BE0000, based on PE: true
              • Associated: 00000008.00000002.514219170.0000000000BE0000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp Download File
              • Associated: 00000008.00000002.515090792.0000000000C70000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515130013.0000000000C71000.00000008.00020000.sdmp Download File
              • Associated: 00000008.00000002.515175366.0000000000C72000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515216552.0000000000C87000.00000004.00020000.sdmp Download File
              • Associated: 00000008.00000002.515247896.0000000000C8B000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: 06a965de6e98eb1907adf437e35b3c2503a79fcd649ea4ba796d3efa178e3bbf
              • Instruction ID: 7d8bbab4364498c5b1ff1bcf8d2a97c6624d3c1bbccd718a11f2dd14ba3eb8c1
              • Opcode Fuzzy Hash: 06a965de6e98eb1907adf437e35b3c2503a79fcd649ea4ba796d3efa178e3bbf
              • Instruction Fuzzy Hash: 2DB092303C0308A6E12826A04D4BF4A70106714F0AF000851B319290C304C2086002A1
              Uniqueness

              Uniqueness Score: -1.00%